From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16909240558548 (code B ref -1); Tue, 01 Aug 2023 21:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 21:07:35 +0000 Received: from localhost ([127.0.0.1]:48385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwac-0002Do-Sl for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwaa-0002Dc-Uj for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaV-0006Z9-Lr for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaT-0008TP-GW for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2DC992675D4; Tue, 1 Aug 2023 21:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924039; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=mPT5xRO9jVDmPcgzxQAiv2IzpfjLd6cBXktD6cC5J2vNuAIyQYyw9TEMdevjIN8Be 3HyaQu8/lBqDgMdcCBvvAe7hBoIkXGNuVuEH9tc5dZAnxRWciBQqDQpAilTvQL8kDB 8WEXEczPS8Zhdv+VIsOsA50gD5ziDPyp/ASGl1EwMcDoO7pEjZWh8KI7DsPNVFBfXV a3fAQg5Q2fZF/YskuXPyiHX5L7rolYkHhx11lCW5Zyiydf/AEN3VYvNN+ifW2MOmQH /cG20ASc03O9aKkksL/YwK0W62p+mY6RLtNAKiyhThtv/6blMI/6TThutf2ApmG8Zk XIoQsE8boOPRU8yVV5FnXpVWheBtf/1j4+0ffRi77bR2a6EsdIvUQ08my7xwIfpamR pP/6Y1WnEaOZv2d7hduyUNXfZgNlfVZQSkChTFHZbriSjs/EeIbClDHyJaHKLQ/kDQ lxFXjr87z09xso3+mRj0Gt8/e908ZiXFlJRM8i3OG6eHM/dM0OKK8fyc01pK6/rLWh KLq92OMqiDGDpmdF9c+rOUE3ZVw1eWlcLnoGA/W97CBfAkvI+IlS4yJBLGvHFUmGMJ 2P6Pp34Vf0HirzaggYeB63PLl8vaBTgFS9yrH5hS0nPGIuv3BL7dk06KkE1JJz1J++ ymu69CY1RT+Am4JlGx9v/Fgk= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 4F22C26A899; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924038; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=OInteuhz85CGr/x6zMzjQFPMQNicUjkbuxl+PMgcynoXpbTVZNnZUFB2hk+YmQS4k 5Be4DC7se65iSfN8SsSX3tFuZlgwQ6Rxtlpm5g0DAfdhT2mMRqNJmGXHTeickZxFdO esVslulx9fpp7YIOzet4iAm6sW7TtrwK/rxuezC+eNPDDqEfSlegs975UU0VAwl1jU gKG/HOmxDqcAP/MLW0Lk6mTHOOFOnFx8cnpHT1O8xdu51VLz97CxCMMzsCUP8A9ucR drOjVc6R7qnriYoua4p8406Ok5FTCS1kxHucXec0Rz/8WhIpB1hkkuSsS3e1Vtjt2l oP7KRe1doEQDTMBPoXLSn5Ibhrd/gbswThv9Pz0oyE9EgYUuPuuR0dxPTojgfIRnEw dctgOGJ94b4vfHvDtKgqsxKq3/reMLG39Se0Vlc1/awYJzhzM/CqsvMFxaw6XPMAPz Ywm9+DDLW8zwnhZiFFotZGMkMmTBLmw1w1oWTZVsRweRK2zSPuP74reDNvPKMrkooO 11PNtR+S2zYV7RzVhI6Wd79YLtA7q/LqQA8I5Rd2y3WO6xrGML01nIxeDtjaX36Njc XtuyhT5WXrpXgPdzbed3q+769rlXj08p5VgGGPjbic6fnOgNG7fzh+ZOCs8J7KMlHB hHKFYPy9FKh1d5mPwdcpgKR4= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id bf31de43; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) From: Tomas Volf Date: Tue, 1 Aug 2023 22:53:10 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) When having an encrypted /boot, it is currently necessary to input a password twice, once for the /boot (so that grub can find its configuration) and later once more in order to actually unlock the / itself. It is not very user friendly and gets annoying quickly in more exotic setups. For example with / on RAID1 BTRFS, password needs to be entered 4 times. And even without that, for large encrypted arrays, password needs to be entered once per drive. The obvious solution to this is to just use --key-file option of the luksOpen command, however support for that was not implemented. This series adds that support. Another problem is where to store the key file, since it needs to be both present in the initrd, but it cannot be in the store (since that would make it world-readable, and you do not want that for an encryption key). Luckily for us, grub can load multiple initrds and merge them, so option to specify additional initrd (not from the store) is added as well. Since extlinux does not look like supporting encrypted /boot (and this new option should not be used for anything else), it was added only into into grub. Tomas Volf (2): mapped-devices: Allow unlocking by a key file gnu: bootloader: grub: Add support for loading an additional initrd doc/guix.texi | 32 +++++++++++++++++ gnu/bootloader.scm | 6 +++- gnu/bootloader/grub.scm | 6 ++-- gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 4 files changed, 83 insertions(+), 28 deletions(-) base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by a key file Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.16909241758766 (code B ref 65002); Tue, 01 Aug 2023 21:10:01 +0000 Received: (at 65002) by debbugs.gnu.org; 1 Aug 2023 21:09:35 +0000 Received: from localhost ([127.0.0.1]:48395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcY-0002HI-Cc for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:38938) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcV-0002H3-9g for 65002@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 263A526B500; Tue, 1 Aug 2023 21:09:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924170; bh=kFmjcpSbdWQtl9UmFxfPohQbZUZvY8Voscpvjffn5k8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZPMEYHnnHaWeBs7J7a+WU4CAyBwU7j6jW2GvEGtKWsNd6oUHKbWed+hKOz9xhJO3l mUZQYsAG8F0s9pGsp1lN2VT9FWeCVWN3LYS3Ga4ENz1tVu2A8p50XLwg+8hAueCD8Z St+tE/q9XkW5Lrx3acVE4VLDU+VS9TGrCV/+/UthP5Sj1F/AzcAN9/eSYRlnPlrCqV Cdlm1b1vsF/wbPWbpVvroGv1wK0veYpWPj1aHO6/IBpWw6PAbK/YiXW0w0axPw5aMN n6JFIGYH6bKD2gKMNqLFjKiUpxNCc0PonvqAKkeigCwcD6gobzK9INIJK+dBe5mhvL F0OJ8f/Itxi3wSeV/2f2HQsDBPNDhuoDZid+K9zDa0aR6wJgJocYfteqYKetwUu070 7gqIdmw/GBlAb3HFnQq073CtlLJls0Ze8dsJ41EVFQ3Ye5bhsZHY0HDCTdMcvJdbey C3gfPeCqVlt9VWOB+AriBNIAfmFr9Vp+ZCm91Wo1+grF1yjvHc+Ao2Oqc7OeqnQ8Ob NtuKHsN8FtbP7L2ld/YDQWobiAjqpeVMAydq9mF2NWfy5Yqgfe7CtRkv8lwNcMGpVC obyztcOJ9cvKLbq31AQpT9i9UPVSNZaehntvTHnY1183t0FD1ZaFiSHdjpMGhJbFoo WaKMkp4t5zAiEiXaxPF5JlVQ= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 9B61726A843; Tue, 1 Aug 2023 21:09:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924169; bh=kFmjcpSbdWQtl9UmFxfPohQbZUZvY8Voscpvjffn5k8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=mp8S8RLeG6DguhNuGas5OuJZbf4alGv9Edug/6j8VHfSV5wqo2itwMuUeV/PfB1l4 FFfZWjaH/loBvhWy1UMldMaJqqTodg2iJhbkwMMEA3fyG0c4JJXChYOLdY9kbRzRjc b0b7lrsfscpye284RvP8+4HctEzuo+7Y9HjeMLviJSsXX8R7QVG8hGkOG0ko15DhPu 5x1NrHtc4ue0ZZmJ5ohuEBaR82JN9X/qcoHlga1RwM/cL8fE0Df7liILVFUQljHvM7 q25dzQLlK1Hml2LgoJBvr3ByNz0bCUHdVeGkl4/O6Cak4MXoWbLxTQzaxz5DVUSnpP CGUU2kSWG8lc5n4r0qYTYVYcDjK8iR42epOvI/0h6w3S7D+/vDSBv1KJWOU3RnP/gT LziGgFzjJk30iIOEexi8Z0Oa2TFFJs3V9BwxsalH2tBsW77V+cDvb5xcmsZcUnDdmn 9ozwdLeErM3IFSVFINIO41vKpIIvHym0RMVLtbNuT+cwL43irT79oYtayqSGYBtFom XFI0+hG/+3SEU3TuYszwBB1tl0ld869o0gSFcojxPV4BO49N+GLBxM38CBwFaJ//VH GXaK7P+VIi4yNPOB2QfhoeJ0zLvy0k9Jo42Qy5hqSQt48QY7X3PFOqRUx/7Id5KHp5 QnhwNRPbK6+BkO4+Zi0QVulw= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id accfd339; Tue, 1 Aug 2023 21:09:29 +0000 (UTC) From: Tomas Volf Date: Tue, 1 Aug 2023 23:09:20 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New procedure --- doc/guix.texi | 12 +++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 58cc3d7aad..a857654191 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17622,6 +17622,18 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. If it fails, password unlock is attempted as well. Key file +is not stored in the store and needs to be available at the specified +path at the time of the unlock attempt. +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..79b776e81e 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2023 Tomas Volf ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.16909241758772 (code B ref 65002); Tue, 01 Aug 2023 21:10:02 +0000 Received: (at 65002) by debbugs.gnu.org; 1 Aug 2023 21:09:35 +0000 Received: from localhost ([127.0.0.1]:48397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcY-0002HL-Uw for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:35 -0400 Received: from wolfsden.cz ([37.205.8.62]:38950) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcV-0002H5-Nn for 65002@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:33 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 26B762681E5; Tue, 1 Aug 2023 21:09:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924171; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=lggRhuZneq4k0f2kLKJr39FOxF1BBztT4WPbpIDjRkJ5i9VvPwZNBZttQ7W7cMY3N lrOotfM65cDVRmVdw+9DrZmU6p1XLD8JdOSIAdcUH7AuhiZPt9KxVWL1PMfOFalNqM KB6RZHvmcB7zJdVJbGx363IaK3vvnq4OYqJ7UnhyeranZwHz7FOTFRU+zbfDbo7cSd S8wPicQMQDsZr55PGLdL0F+Pg/GuQFw0ZEph/8ctAgLyMaMYTvToNIsexFfaL2GHJg VTRLx6KZ6yjagU956rUYfORBnC4Oh9yDtNeh+eYqgsi9qmQnz7aK0vd6jj7fsrBru7 UNMfdv1dQ8bFUCuR0j65DourLSdIYft9wwjyZqlKHGZDcvmTY3+RnJOvZlthDEjkLw ICK1twET+75AbW6L2d7pwDjynpOAVvkdRsQDnA9YX89d/36KzJhg5eSJf+yuXVzqbg eF6kXp+TdRV49XHOsmCko9dRjyREdVUXZIkNms7qXk21shxrQgQtVecWuA6dPa7DMl YriM7Tk0OHmi1nPH8lFmsYVEGR/W1hv0W+kXn7qHmcX0MCauAyFYV5BBSOAz7k16s4 n0AEkZLCEAh8K70HypDDjG2AIS7UV4CqpA8rEREniV4HR+J4D+n4I8zzjPioAMtwIt MHbmn2xQwqVuJHMnWdqFflk4= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id B46BF26985C; Tue, 1 Aug 2023 21:09:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924170; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=PaQGJcKiT5ujHs1Bc7ZcyN2d0ZY+hdsFH+j+qG1M1DCMYf6Nl9RZwZILuVkYHyUUD mZeZgHz4asjofB3gwf9XzQvVs5N9kpRfqutImhyv2Ps5NobyfK7JzMOtb0FQyayVhI I/VzNkPxONfpN+G4Op+j0S6Qw/mjdPvQIZ8kxXNeZyedo/BGsn0RWR9f7ELvqP4N9J fvVjsKgMzsdL+6VjPEfm2nOjDsRG7EVi6+vDEvXOKVg6lr0LXGcQsmUZiMjjEJtwSo ufx3BFX5YnzB4P/vU2FDR5CX3Z+ILPHtGRiI15xmDKv5DVDZGGehJig+qo/1U6IgRE A7Qm86fMfEVvmVAYzFG2uW9ouV/dVM10K62ZNdXYiTFNlYJu0wNgOUVZm/kttcQTn+ Jse6qN2T5GAY1aBSFZdFkKDInWRjfiqJ+RDgmT52NbNenvZdM9eupi9JFlYtH6AAXH FVbsUynwYaN5+b7hn15Y7mZk+J33IGcXTbh8Ftdbco/ot0LRKhDs/3Ho77G02LVKQO 00XhpGKvYFwiyERslKXLILLentNVY7YcrPLRSybC8Yxz1O+lKKDq9Y8QtIgqJP5VgL WXo39ZroElWIxwrFfgqRpMwYllrSGVdvKCt4oOPAdO51PqXyKdLd0xbcUfs+LFBLpR GImEg2euMezf1oYwBzWfAt6E= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id e84ebce9; Tue, 1 Aug 2023 21:09:30 +0000 (UTC) From: Tomas Volf Date: Tue, 1 Aug 2023 23:09:21 +0200 Message-ID: <01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration * gnu/bootloader/grub.scm: Use the new extra-initrd field --- doc/guix.texi | 20 ++++++++++++++++++++ gnu/bootloader.scm | 6 +++++- gnu/bootloader/grub.scm | 6 ++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a857654191..c63f28786e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40078,6 +40078,26 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +Path to an additional initrd to load. Should not point to a file in the +store. Typical use case is making keys to unlock LUKS device available +during the boot process. For any use case not involving secrets, you +should use regular initrd (@pxref{operating-system Reference, +@code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by grub. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index 2c36d8c6cf..8cebcf8965 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -77,6 +77,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +280,10 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f)) ;string | #f + ) (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..49cb3f7725 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file References: In-Reply-To: Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Aug 2023 13:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169098141418909 (code B ref 65002); Wed, 02 Aug 2023 13:04:01 +0000 Received: (at 65002) by debbugs.gnu.org; 2 Aug 2023 13:03:34 +0000 Received: from localhost ([127.0.0.1]:49126 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVm-0004uu-1g for submit@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:34554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVi-0004ud-QR for 65002@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id F122726954E; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 7594D26B986; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id ec9f89d1; Wed, 2 Aug 2023 13:03:27 +0000 (UTC) From: Tomas Volf Date: Wed, 2 Aug 2023 15:02:44 +0200 Message-ID: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New procedure --- untabify doc/guix.texi | 12 +++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 58cc3d7aad..a857654191 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17622,6 +17622,18 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. If it fails, password unlock is attempted as well. Key file +is not stored in the store and needs to be available at the specified +path at the time of the unlock attempt. +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..0755036763 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2023 Tomas Volf ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Aug 2023 13:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169098141518916 (code B ref 65002); Wed, 02 Aug 2023 13:04:02 +0000 Received: (at 65002) by debbugs.gnu.org; 2 Aug 2023 13:03:35 +0000 Received: from localhost ([127.0.0.1]:49128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVm-0004uw-K1 for submit@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:34570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVi-0004uf-QT for 65002@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 003CF269A5A; Wed, 2 Aug 2023 13:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981410; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=xozZ9ZRWo1NeYLCK8oBGBYn+bfnkIEW3FfoySN2bnlUXlI/4Gn9o4ml+9zHaS6zoE B407apQeXawUfDDjoaU+UOoHTVJa0OKKrGtjpQr0BoGQ9erYIr1qnMA4IpS2ssZt/H +2eoSjS0jlZkS6BMG1JLlVdmcziyzjJaRQerLd7iWCHxlfybP1imepzH/Mn62hXsAy cYi+BhayzGYEpQN4CvyQfvip1Oh1GW/DVrqtAwLm5UXiHgfKaHxZsAsLYeyUmd/KsD wDDsJv/PwG93C83EpDGEBvR88PiaFpiFQPy1xT4ahEICq/RY99PasToBk8JQnbtY/v Jq5iz1iLPLnRh0+qWW71BcDak4hTx0C+IDaR/b3Kq4yG+AnXuOGD2ams4U4G5/USAm cF+oDBaBdLgFI8UozW04HQ7xDBwMBAzETVyHLZJgzvKdJet2HqBeHUM47ylOJmydQh 89xxdaHAsQl8dZGMYNkQXN6ccxoO8qp/ViA64xgNfkT8tId0NWHxEVjePao2gUyDw3 7XLwbWDuVjSk7UZj1AgRDB67Og92hNDIxse05nctZxWu0XGiIgl1YXJ6FExokK6H1q rcNrLQ2v7Viti2im5r+bkdu0ZOfoXBmphfofU5ISmRAfU6w3Y148rgtf7GNIBovblx 4YYs+7Zszdmkd+EDX6JuFE2M= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 8DE9C267476; Wed, 2 Aug 2023 13:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981409; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=INBcvWng31lJLuilz/eRkn4Xd0o4fG2qo+VjVFVVWaaO9wEXeiKsyq/1zolUKjm6B f66u0fCPufWIWJoIYHRtBvxxg5qss5+seqbqw2/4sLBjYJtRnjPZdgGBGtjqad/Qjv +w2/+cMerYnGrF20Fk4Z9pjVi55Ume33e3pam+nP9eennaHrP0rnFwQDonbWZ5blyI 1AubyZsiSOxdVdoxOSA3KxyqYhlqiUPUd0yQh67Ovh4lssS55QkR/x6LZefNFJkBPS s1vKKCfJI1pvxDVSmRpu2+Ao51uu5tZTsm5XOMllvYXzJTJ0b+1bdVwLIpUuTD7pjk c61tbVjYCFm6jgFyElay1Sp41iq2linAYYkJtdFmc9ExeAA8mXgt7UdPa5TuJ4hp6x XEIdAVSn22Sb7EHcU29Cy2UK1DpKvSxTk2GG3Of/Mt6u5Df6X6Mr8xB01sxxFE0lMp ly/EkYt1YeUIf2j4sVEgzYLJyBnxKVq7caEDnOvAbg590+4Ugbi3OZA0GsYe4TRUcI hL6yG6T9tFa3iSmCOEhKtdi+Dq5c/0wOQhcLBN4CaMtE+Dg5Kef1SMrYq6eowckwxz U6sc8gA2tzOFEp/O5C89FYqFDuh2WJFoeDUoOwJ9skiefwfSHMmlezZyLgYzRlmYzd AgoH6Pdir7UOzJXGasGZLecY= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 14f588b7; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) From: Tomas Volf Date: Wed, 2 Aug 2023 15:02:45 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration * gnu/bootloader/grub.scm: Use the new extra-initrd field --- doc/guix.texi | 20 ++++++++++++++++++++ gnu/bootloader.scm | 6 +++++- gnu/bootloader/grub.scm | 6 ++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a857654191..c63f28786e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40078,6 +40078,26 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +Path to an additional initrd to load. Should not point to a file in the +store. Typical use case is making keys to unlock LUKS device available +during the boot process. For any use case not involving secrets, you +should use regular initrd (@pxref{operating-system Reference, +@code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by grub. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index 2c36d8c6cf..8cebcf8965 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -77,6 +77,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +280,10 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f)) ;string | #f + ) (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..49cb3f7725 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file References: In-Reply-To: Resent-From: Dominik Riva Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 10 Aug 2023 04:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: "65002@debbugs.gnu.org" <65002@debbugs.gnu.org> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169164127623799 (code B ref 65002); Thu, 10 Aug 2023 04:22:01 +0000 Received: (at 65002) by debbugs.gnu.org; 10 Aug 2023 04:21:16 +0000 Received: from localhost ([127.0.0.1]:40941 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qTxAg-0006Bl-E4 for submit@debbugs.gnu.org; Thu, 10 Aug 2023 00:21:16 -0400 Received: from mail-4322.protonmail.ch ([185.70.43.22]:42313) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qTtS4-0007v8-Q8 for 65002@debbugs.gnu.org; Wed, 09 Aug 2023 20:22:58 -0400 Date: Thu, 10 Aug 2023 00:22:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail3; t=1691626970; x=1691886170; bh=n4E9D2qACera/nJ3tF2wAkTLL0bjbjCt8t7cYHAdODo=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=cXMDXBewniam+nJyFWJlqXYBWASVZZ+eZpW4o2arHAMru2kcrZf3mcARlnAoEbma+ 5YXNZGMT6QjpQ/pP878U5/XnzTclpfpp1xdEjnF/n5F54BelDU+C5IJ+r3L6Ywz2Ej JMfxbhxqYzVhYLLnuBvooGVl8J+bPNzK8eDj/P/B/5Fn/G7w2QiRBNOMCU6ZlrTkZb +Gwq2L0t5+Q4yfFdOLs5Cbc+844prl21armv2H9CiZfMZZP1S3wJ6Yr4QQzVaH6fBG Aknet2dRUp9pow6oozr8WqzOthHFkmWlOKzVqPZJMyRv8DvAmqj4n9ydt06jEn+JyE uiGWOEaU1Teug== From: Dominik Riva Message-ID: Feedback-ID: 315977:user:proton MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha256; boundary="------999847ad1cc8a6a6d379fb0a12386c919669169a2b08f9ffd62c17142ef19470"; charset=utf-8 X-Spam-Score: -1.0 (-) X-Mailman-Approved-At: Thu, 10 Aug 2023 00:21:12 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.0 (--) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------999847ad1cc8a6a6d379fb0a12386c919669169a2b08f9ffd62c17142ef19470 Content-Type: multipart/mixed;boundary=---------------------bf0affb9e60318b36f8c1645153ba692 -----------------------bf0affb9e60318b36f8c1645153ba692 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 Hi, I can confirm, the patches work for me but as I'm still quite ignorant abo= ut Guile and Guix, examples would have helped a lot. ;; Use the UEFI variant of GRUB with the EFI System =C2=A0 ;; Partition mounted on /boot/efi. =C2=A0 ;; /root in /root/key-file.cpio refers to the = =C2=A0 ;; /dev/mapper/enc btrfs root subvolume and not the home of root. =C2=A0 (bootloader=C2=A0(bootloader-configuration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (bootloader=C2=A0g= rub-efi-bootloader-luks2) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (targets=C2=A0'("/= boot/efi")) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (keyboard-layout=C2= =A0keyboard-layout) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (extra-initrd=C2=A0= "/root/key-file.cpio"))) =C2=A0 ;; Specify a mapped device for the encrypted root partition. =C2=A0 ;; The UUID is that returned by 'cryptsetup luksUUID'. =C2=A0 (mapped-devices =C2=A0 =C2=A0(list (mapped-device =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (source=C2=A0(uuid=C2=A0"e3746b32-8e74-= 43b0-a111-78c3ea4436cf")) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (target=C2=A0"enc") =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (type=C2=A0(luks-device-mapping-with-op= tions=C2=A0#:key-file=C2=A0"/key-file.bin"))))) The snipped from https://issues.guix.gnu.org/55723#0 also needed a some ch= anges. I had to swap line 2 with 3, I switched ext2 with btrfs and the different = format for the uuid ticked me as well. But now I have a booting system and the passphrase only gets asked for onc= e. Thanks, Dominik [1] full config.scm: https://paste.debian.net/1288436/ -----------------------bf0affb9e60318b36f8c1645153ba692 Content-Type: application/pgp-keys; filename="publickey - driva@protonmail.ch - 0x1019089F.asc"; name="publickey - driva@protonmail.ch - 0x1019089F.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - driva@protonmail.ch - 0x1019089F.asc"; name="publickey - driva@protonmail.ch - 0x1019089F.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4c0JOQkZnZ3J2OEJDQURXYlYw Nm9rUE9WSm5VUzFLaUorbjRVdVFWQkZiZ2Rweko4VVBmTG1vejBsenQKdFVyRW1MNUVKK3JITjV1 ZDFwWVVHL1dodUxoTXBBbmpqeXBNMzF5Z0hxT000OTlkY2o4MXZJSGlTdGRGCmlOQWhEMTBGVWtj NThRS2tkZmFUL2swMitFVTRja002Tm93dmx1R0M1clZjN09iU3ZCMHo1TTQyNm9jSAp6bGIxRXBB TXFpWmxHV0JhRlQremhqQmNYVndlRkRac09yWkVHUEswbDdqTDhFbjRkRUxiMWZiOWkyMzgKZnVq WndOdTRPcHlBaEF3QjhYSlFBbC80d3dWWURsWGZHeW1MN0tWZ3RmZEdnMkg3SGVPbGNyVnNtZlFl CmV0UG04ckFCdjVRMWJ0VjZSQXRrb3ZUZ0Q2REVjS0hvOHpPQUJhTk5xRmVUREJKWHMxenZrNit4 QUJFQgpBQUhOS1dSeWFYWmhRSEJ5YjNSdmJtMWhhV3d1WTJnZ1BHUnlhWFpoUUhCeWIzUnZibTFo YVd3dVkyZysKd3NCL0JCQUJDQUFwQlFKWnB6aE9CZ3NKQndnREFna1F1UzV6alUxV3RnSUVGUWdL QWdNV0FnRUNHUUVDCkd3TUNIZ0VBQ2drUXVTNXpqVTFXdGdJcWNBZi9hSTRjWGVzQzRacUQvMzVO K2ROY3RPMDZ2Wnhub2x2RgpoOHloZG5wSW8zS3l1SGQvRHJKc1djTVVQTXdlQnpQRHNNcW56akVS eDN0Smh0eEU4eWlxWWZXaUpDazgKMGorVHdYVEl4U0syK1d5Mkk2aUJXWnlvcUg2ZWJza1ZVK1ZR d0Z2bmVjcTM3eTVycmdoR2h3UVIrTVdoCkNLVEE5NnZkK2VGUUhJTi85Y2ZyMm1nSkFrTG5BQlkx TnpTV1JWQWRQQ1B0aXByL29qUHRKQm91YlRWQQpuVHdQT2JqZ3RXdUpqM3Ezbi94RDQ3ZHBtMDRu L1FxVlhWYWlYRm9WMURZSEhRbG54RzUyUUJsVjUxTjUKdHRGNUhTQnJuT3hYMXdhbXNVSEdJeHUr VTh4QlZtdVQyV0ZBQmFja0QvblNNV3FUSTUzaEFEMXFDS1dKCmNRbTl0bVNnT2M3QVRRUllJSzcv QVFnQXEvdWlobFR5MlVhQlJEbFdIZXI4OHNKTWwwV0dVU1dVdFVNOApkam5Td0tSS1psdXRKL29J clFNOE4vSUlsbjVieUlITnFGditRbGt3K0FCWlkybjR6a2tUWUpHK0tSc0cKQUJVRGg4SE1jdmFO dTd6NlZFc1kzcjJ2cFlVTWk0UTJXbGxxcVJXanZpblU4WlRld2RvSmFwQmlSYXBCCkFoM1pKNE91 MGg1WWZLVjVIUUZuc2dXZkFSZEFTak5RUzQ2bGRkbmg5a2xUQ2YrUG9PdHJnOFZ1UXU4TApQM2l5 a0ZRU3N4Y1pIMmFEblBnK0pPbTAyenJydU5ONW1DVmVJaGZwTjRrTUpPTW8zRm9IZE1mYmo0ZTQK WlZyc1BvOWk0QmhJSUVlbXNxQmhOTmNDSjY2SlBnd1lHTzE2MzhQdU1UQmhSME9ZY0JIcGt2Y1NF SEN6CkMyM0dTd0FSQVFBQndzQnBCQmdCQ0FBVEJRSlpwemhPQ1JDNUxuT05UVmEyQWdJYkRBQUtD UkM1TG5PTgpUVmEyQW9xaUIvOWFDZGd0OEtNaHQrYytWYTI5V2E1MkdMd0ZNb0QzTDJqY3o2a2Jp ckwwbGllQ29UM0EKWHBOSUpjQ0RrV09uaUJnTHIwOTNJaGp5RG9POXBFL3Y3YkdxT1pYajJiMm1E dVJ1SlhVR1hkUGRiTFEwClZheXhMNTQ5RnJaVllwei9IemhiVURZSUlueU02WlA2U1RETEQzVVVL YzVKM0RtQ3FVS1B6c2hqQnhkdwp0NVJjMi94RmUwWkE0UFJESUd0Q2dKTm9qY2xQQmJ1dVpoZFk2 cndqRytPUXBONWo0QkwzbVlqS2tQLzYKQ0RRZlpWcjRFVmc0SU5LSzhTV3lxMmsxbC9LOWJET1Fl WVJZcCtPOFVqcElhYzcrUGMzanJDQkVhZ3l2ClM5ZlJuNHpWQ2wrZ21BT20raVFNME15Tk9PZG5r bzBxVlpGNzFtZ1NQSTFobTJHVDE0NkIKPWhUQnQKLS0tLS1FTkQgUEdQIFBVQkxJQyBLRVkgQkxP Q0stLS0tLQo= -----------------------bf0affb9e60318b36f8c1645153ba692-- --------999847ad1cc8a6a6d379fb0a12386c919669169a2b08f9ffd62c17142ef19470 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBYJk1C3DCZC5LnONTVa2AhYhBBAZCJ+4wCSMKYg85Lkuc41N VrYCAAD2twgAx/MyTvfs1l9NOLZVOahhzAZ8FpwoxIJP1xhMFFwb+0GmxLlD vXzDTCVuXQ39SdVCGsuD+HFGg2uWv/nYNh9/ezGtD8Z9H1AYjRPZE58ghM5h edo2h7R7K9NwGd1j8xiu0zy0H4OfByXoZBPfIe7Rb5/+s/4goPfRZKIXjceG FMJ5iozBN2+fJPX3BROo7if9MlONFK16s0dlfia0dkaCKNuYlIf8BSd2X0MN Xu7i7lJvqnWCt0qzWkAHc5Ksrc4Jc92G+AilaKdd2tlU4DQboTbEonqZ93bD Im9oeYV36BaKmiW+4ih6csucE3yolJwhmGzS4+zsPswxdo1+zOEFsw== =9Qn7 -----END PGP SIGNATURE----- --------999847ad1cc8a6a6d379fb0a12386c919669169a2b08f9ffd62c17142ef19470-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 09 11:58:03 2024 Received: (at control) by debbugs.gnu.org; 9 Jan 2024 16:58:03 +0000 Received: from localhost ([127.0.0.1]:40812 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNFQR-0006qh-Ef for submit@debbugs.gnu.org; Tue, 09 Jan 2024 11:58:03 -0500 Received: from wolfsden.cz ([37.205.8.62]:51720) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNFQQ-0006qD-GI for control@debbugs.gnu.org; Tue, 09 Jan 2024 11:58:02 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id E38E324B4F7; Tue, 9 Jan 2024 16:57:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704819474; bh=g/9uxP5QS5gIrHaIxHFZB0bXhgqtS+M6QWUUSJiuYyM=; h=Date:To:From:Subject; b=JvP6ZVo3xs6qOZ095ptegLJzgu4wnE9ZLWV75gl0G5xZmH1j+Km0pd+FnNKqHYnJc /loiUbdoQOaYmPwRsaIXFCj2/MlmAKdjTKXrlEa24950/6giqK6EFnCoAfcezxk+i9 1xtLkI6YP7OZCyMjDbGphL8324dxJSNNpTO5elg6JGrRjyw1e1tA2pCSHPJ8XoVhz7 1xcvugyXrMOv2vqzv6re/HXXrciGfbCsRsFe7NEEPEQvLrlLgeFpaMNzBg+IyzjrHt dXi4ZEVhkA+xhPKqcVO6CzUwco9kOfopg4aOHAVxxNQHNeM5dltm+8RAlZqLoZ831C lrVv8shbyGuJaPIg/lnZboPtG7xrPrrZmaRbm3AjZD8j3o53PAg7qJb4j8uf0QOY1Y 3AuDsHxJRzbrsBGqTbuNnEYcW+J7NLkFU3BdhERym1ubp2n5QuRhdOIibCS69Jy6sz nklarloV2I1wVLa1bYq1ymKOJQC9Kq0SxdBVTr2ZEFJLjjRr7TOtpZwoJbB3Qk0lPh gYJEfq1FtHmwnwSX1MXx0Xx8lY+maYx3i6qKkez3S8gLHtEJ2dbOQOPp0hLiHHvITl q7ZHiFvm1ViLn5d55XPCAn3sWcucxcrxgPqBvVJAizOrpYaWxbvAgpvAOef8D/qN+P h/I+4TJvIkzoMdu0hp9mYM+0= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [146.70.134.143]) by wolfsden.cz (Postfix) with ESMTPSA id 9DF1924D261 for ; Tue, 9 Jan 2024 16:57:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704819474; bh=g/9uxP5QS5gIrHaIxHFZB0bXhgqtS+M6QWUUSJiuYyM=; h=Date:To:From:Subject; b=JvP6ZVo3xs6qOZ095ptegLJzgu4wnE9ZLWV75gl0G5xZmH1j+Km0pd+FnNKqHYnJc /loiUbdoQOaYmPwRsaIXFCj2/MlmAKdjTKXrlEa24950/6giqK6EFnCoAfcezxk+i9 1xtLkI6YP7OZCyMjDbGphL8324dxJSNNpTO5elg6JGrRjyw1e1tA2pCSHPJ8XoVhz7 1xcvugyXrMOv2vqzv6re/HXXrciGfbCsRsFe7NEEPEQvLrlLgeFpaMNzBg+IyzjrHt dXi4ZEVhkA+xhPKqcVO6CzUwco9kOfopg4aOHAVxxNQHNeM5dltm+8RAlZqLoZ831C lrVv8shbyGuJaPIg/lnZboPtG7xrPrrZmaRbm3AjZD8j3o53PAg7qJb4j8uf0QOY1Y 3AuDsHxJRzbrsBGqTbuNnEYcW+J7NLkFU3BdhERym1ubp2n5QuRhdOIibCS69Jy6sz nklarloV2I1wVLa1bYq1ymKOJQC9Kq0SxdBVTr2ZEFJLjjRr7TOtpZwoJbB3Qk0lPh gYJEfq1FtHmwnwSX1MXx0Xx8lY+maYx3i6qKkez3S8gLHtEJ2dbOQOPp0hLiHHvITl q7ZHiFvm1ViLn5d55XPCAn3sWcucxcrxgPqBvVJAizOrpYaWxbvAgpvAOef8D/qN+P h/I+4TJvIkzoMdu0hp9mYM+0= Date: Tue, 09 Jan 2024 17:57:54 +0100 Message-ID: <900866bd2cdb4a0f7ca3897756f77da5@wolfsden.cz> To: control@debbugs.gnu.org From: Tomas Volf <~@wolfsden.cz> Subject: control message for bug #65002 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) submitter 65002 ! quit From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 Jan 2024 23:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.17048425013792 (code B ref 65002); Tue, 09 Jan 2024 23:22:02 +0000 Received: (at 65002) by debbugs.gnu.org; 9 Jan 2024 23:21:41 +0000 Received: from localhost ([127.0.0.1]:41316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLPh-0000z6-9Q for submit@debbugs.gnu.org; Tue, 09 Jan 2024 18:21:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLPf-0000ys-JQ for 65002@debbugs.gnu.org; Tue, 09 Jan 2024 18:21:40 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNLPR-0004S9-M6; Tue, 09 Jan 2024 18:21:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=rsXcYmyvQumRSsuCQyqLIroJ5r1/3Skkmm8kLhmQh0k=; b=fLZ2lsvLCBFLOAm48fHZ PUnYtfWGy/LoBWjIscj06LaoVBWUtEtL8yB3xO7Nfk1dyyTKKRqcyiopFZutDWSRRWZCbYkkqQCtq vgRB5uHAJG38AQt8w+xFwKfLPNG+YY1dD180J1huY8queowhy6VAjksltCnVzAGz1dmeSMRdspnKP /H5ORojcoEo4a6JfcSfdPosT/ys+xv0t2hTHR/5KQffDToa3Zwl1o2ImuYSDyz75AsnHPQo885n9A 5ny6f1/5A8hea6Lf6upuf8r2LGjaeoD7DeILE3RSAKPjqj00EP6Wb/xEMiOT4wV9l3qCsGWzV6Wrd aB+DubTJCM1z0Q==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> (Tomas Volf's message of "Wed, 2 Aug 2023 15:02:44 +0200") References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> Date: Wed, 10 Jan 2024 00:21:19 +0100 Message-ID: <87il42w0sw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! I know, I know, it=E2=80=99s taken way too long=E2=80=A6 My apologies! Tomas Volf skribis: > Requiring the user to input their password in order to unlock a device is= not > always reasonable, so having an option to unlock the device using a key f= ile > is a nice quality of life change. Agreed; there=E2=80=99s interest for this feature, I=E2=80=99ve heard it qu= ite a few times. > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argume= nt > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New > procedure No need to repeat the file name here. Please also mention the doc/guix.texi changes. > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] > +Return a @code{luks-device-mapping} object, which defines LUKS block > +device encryption using the @command{cryptsetup} command from the > +package with the same name. It relies on the @code{dm-crypt} Linux > +kernel module. > + > +If @code{key-file} is provided, unlocking is first attempted using that > +key file. If it fails, password unlock is attempted as well. Key file > +is not stored in the store and needs to be available at the specified > +path at the time of the unlock attempt. s/specified path/given location/ Perhaps add a sentence or two saying that the advantage is that it allows you to avoid typing the passphrase, for instance by passing the key file on a USB key (would that work?), but that this may not be suitable for all use cases. I=E2=80=99d also add a short commented config example. I wonder if we could have a system test; it doesn=E2=80=99t sound very easy= so maybe we=E2=80=99ll skip, but you can check that the =E2=80=9Cencrypted-roo= t-os=E2=80=9D test, which exercises =E2=80=98luks-device-mapping=E2=80=99, still passes (it tak= es time and disk space). The rest LGTM! Ludo=E2=80=99. From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 Jan 2024 23:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.17048429194436 (code B ref 65002); Tue, 09 Jan 2024 23:29:01 +0000 Received: (at 65002) by debbugs.gnu.org; 9 Jan 2024 23:28:39 +0000 Received: from localhost ([127.0.0.1]:41322 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLWR-00019U-85 for submit@debbugs.gnu.org; Tue, 09 Jan 2024 18:28:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLWP-00019H-1w for 65002@debbugs.gnu.org; Tue, 09 Jan 2024 18:28:38 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNLWB-0007yt-No; Tue, 09 Jan 2024 18:28:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=kaG3Vv3GTDnfnWb7+XcunQTEYnJh5Vb91PJvEFrxFno=; b=NNLuOif4LQINI9UmpMrP NzfvHVTw4xRoTzL3s8KCfHU2jWe2UZT07VdDGpbpMmF4JyiD6hr6PnCknK8ZaldULOlRzUi5lyHA0 ONz5r3PfIUNDHcDV7//7Agoem4HPD59nxzc8VeNM+qhKwhpho+kjVAngavHQL4O45OHxcutmBmGtQ rvAKiMxv5i2uDsELsdIT7M+AU5AB6KTnOHXo8Lx+eCqHJTS1Yl4q7Wv658SdQpHI2B2px0gLFnYiP frHvD+A6v7YYGSvB+6eJDykZr1MzbzyGDdJ/63l2xK0a4WzAKi9H3bcSVMCtFdZEldXom4DJVETxu EpH5vjVI9Hmv7A==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: (Tomas Volf's message of "Wed, 2 Aug 2023 15:02:45 +0200") References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> Date: Wed, 10 Jan 2024 00:28:18 +0100 Message-ID: <87edeqw0h9.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Tomas Volf skribis: > In order to be able to provide decryption keys for the LUKS device, they = need > to be available in the initial ram disk. However they cannot be stored i= nside > the usual initrd, since it is stored in the store and being a > world-readable (as files in the store are) is not a desired property for a > initrd containing decryption keys. This explanation should go in the manual IMO (it=E2=80=99s already partly t= here). > This commit adds an option to load additional initrd during the boot, > one that is not stored inside the store and therefore can contain > secrets. > > Since only grub supports encrypted /boot, only grub is modified to use the > extra-initrd. There is no use case for the other bootloaders. > > * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd > field. > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration > * gnu/bootloader/grub.scm: Use the new extra-initrd field It=E2=80=99d be great if you could specify the entities changes in each file (which variable/procedure is changed, what is added/removed). A committer can do it on your behalf later if you=E2=80=99re unsure. > +@item @code{extra-initrd} (default: @code{#f}) > +Path to an additional initrd to load. Should not point to a file in the s/Path/File name/ (by convention) Please make full sentences. =E2=80=9CShould not=E2=80=9D is probably too s= trong; perhaps: =E2=80=9CIt may or may not point to a file in the store, but the m= ain use case is for out-of-store files containing secrets.=E2=80=9D > +store. Typical use case is making keys to unlock LUKS device available Add a line break after =E2=80=9Cstore.=E2=80=9D to distinguish the referenc= e from the discussion of one possible use case. > +during the boot process. For any use case not involving secrets, you > +should use regular initrd (@pxref{operating-system Reference, > +@code{initrd}}) instead. > + > +Suitable image can be created for example like this: > + > +@example > +echo /key-file.bin | cpio -oH newc >/key-file.cpio > +chmod 0000 /key-file.cpio > +@end example > + > +Be careful when using this option, since pointing to a file that is not > +readable by the grub while booting will cause the boot to fail and > +require a manual edit of the initrd line in the grub menu. > + > +Currently only supported by grub. s/grub/GRUB/ Would be great if you could include also a short config example here, or add a cross-reference to the example for =E2=80=98luks-device-mapping-with-options=E2=80=99 if that covers both. > + (extra-initrd bootloader-configuration-extra-initrd > + (default #f)) ;string | #f > + ) No lonely paren please. :-) Otherwise LGTM. Could you send updated patches with these minor changes? Thanks! Ludo=E2=80=99. From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170497678016445 (code B ref 65002); Thu, 11 Jan 2024 12:40:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 12:39:40 +0000 Received: from localhost ([127.0.0.1]:58962 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNuLU-0004HA-Ej for submit@debbugs.gnu.org; Thu, 11 Jan 2024 07:39:40 -0500 Received: from wolfsden.cz ([37.205.8.62]:45498) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNuLP-0004Gv-IL for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 07:39:38 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 7EC6924F750; Thu, 11 Jan 2024 12:39:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704976776; bh=YL91AgAAjlqUoMix51QjrzZkXIT4RNm2EfGsqhykWUc=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=vZ7WxEMIKhVEVspGvgbRQwUsdKdp0KluZgBBpHolq/JTlg/2ICehCf4TiQIQNG2vQ betZ483SIjcqv9FS4cVEde8BLCu181UJqJc8ylx0Lntno3MijrwCgpyFst+DMnrAps kmb+1TmOkLs15lGfSSj4gsdlvDgCFQpngSOOZleJr9lYNwr23/EY/WHsEz648qiiiR OCo5d2aHQbUi6sgWzWcse3wOojz68x0MpNhnN6JhKnsJa0R6141zCz/d/rSIrncFc4 AZTBRzb74Hax8QcUa72PA/U9cB5yPS2Pyeb2Zn1SBgaOWfdtf3ln6TPqqMS5VC6Fwt OOE00/7NqRiLf/UamZ1yALIGIxZqYcn/RIeTtq2jOyeVyiQYkXzO01DRet9j79TY8S bvmicmIwaeOCGWzOgkPSc7CwPMaNAsYKGu3XeIRejLcc7g7HRXVuDNrKy6P2Skvt41 5CwlPQyN3+vy+m1wMqxoow3EVEKmOyGrlxqZq4M9/qwnYFBxQF+XqMJw01HlSh97uk lEksePiKZWIEL7ySuuehOwLSimb88+FEHwcrE39+RJOGIC39zMV1chBzvjR1jKLjiB saMtw7yBDW+NC8BBbLzfPmdmIyn6ChxO47QyfWs33sym22lWqECkfLiGho74sRwqPG jaXdQnPaTUW2FAdqW5W3XwAo= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id F379924F0D5; Thu, 11 Jan 2024 12:39:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704976776; bh=YL91AgAAjlqUoMix51QjrzZkXIT4RNm2EfGsqhykWUc=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=vZ7WxEMIKhVEVspGvgbRQwUsdKdp0KluZgBBpHolq/JTlg/2ICehCf4TiQIQNG2vQ betZ483SIjcqv9FS4cVEde8BLCu181UJqJc8ylx0Lntno3MijrwCgpyFst+DMnrAps kmb+1TmOkLs15lGfSSj4gsdlvDgCFQpngSOOZleJr9lYNwr23/EY/WHsEz648qiiiR OCo5d2aHQbUi6sgWzWcse3wOojz68x0MpNhnN6JhKnsJa0R6141zCz/d/rSIrncFc4 AZTBRzb74Hax8QcUa72PA/U9cB5yPS2Pyeb2Zn1SBgaOWfdtf3ln6TPqqMS5VC6Fwt OOE00/7NqRiLf/UamZ1yALIGIxZqYcn/RIeTtq2jOyeVyiQYkXzO01DRet9j79TY8S bvmicmIwaeOCGWzOgkPSc7CwPMaNAsYKGu3XeIRejLcc7g7HRXVuDNrKy6P2Skvt41 5CwlPQyN3+vy+m1wMqxoow3EVEKmOyGrlxqZq4M9/qwnYFBxQF+XqMJw01HlSh97uk lEksePiKZWIEL7ySuuehOwLSimb88+FEHwcrE39+RJOGIC39zMV1chBzvjR1jKLjiB saMtw7yBDW+NC8BBbLzfPmdmIyn6ChxO47QyfWs33sym22lWqECkfLiGho74sRwqPG jaXdQnPaTUW2FAdqW5W3XwAo= Date: Thu, 11 Jan 2024 13:39:35 +0100 From: Tomas Volf <~@wolfsden.cz> Message-ID: References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> <87il42w0sw.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zbUG0RNWjm2gZ9bf" Content-Disposition: inline In-Reply-To: <87il42w0sw.fsf@gnu.org> X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --zbUG0RNWjm2gZ9bf Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-01-10 00:21:19 +0100, Ludovic Court=C3=A8s wrote: > Hello! >=20 > I know, I know, it=E2=80=99s taken way too long=E2=80=A6 My apologies! No worries, thank you for getting to it. :) >=20 > > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argu= ment > > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New > > procedure >=20 > No need to repeat the file name here. Please also mention the > doc/guix.texi changes. Adjusted. I also fixed the name of the first procedure (should have been open-luks-device). >=20 > > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] > > +Return a @code{luks-device-mapping} object, which defines LUKS block > > +device encryption using the @command{cryptsetup} command from the > > +package with the same name. It relies on the @code{dm-crypt} Linux > > +kernel module. > > + > > +If @code{key-file} is provided, unlocking is first attempted using that > > +key file. If it fails, password unlock is attempted as well. Key file > > +is not stored in the store and needs to be available at the specified > > +path at the time of the unlock attempt. >=20 > s/specified path/given location/ >=20 > Perhaps add a sentence or two saying that the advantage is that it > allows you to avoid typing the passphrase, for instance by passing the > key file on a USB key (would that work?), but that this may not be > suitable for all use cases. Added a sentence. As for the USB key, that would not currently work. The f= ile needs to be accessible to the init script, so the USB would need to be moun= ted first. I believe extending the code to support it would not be hard (adding e.g. #:device to luks-device-mapping-with-options), but I have not use for = it, so I did not intend to do it in this series. Maybe later. >=20 > I=E2=80=99d also add a short commented config example. Done. >=20 > I wonder if we could have a system test; it doesn=E2=80=99t sound very ea= sy so > maybe we=E2=80=99ll skip, but you can check that the =E2=80=9Cencrypted-r= oot-os=E2=80=9D test, > which exercises =E2=80=98luks-device-mapping=E2=80=99, still passes (it t= akes time and > disk space). It does not pass, but it fails even on master =C2=AF\_ (=E3=83=84)_/=C2=AF: guix system: warning: at least 1526.8 MB needed but only 1408.3 MB avai= lable in /mnt It seems somewhat hard to do it based on encrypted-root-os, but should be m= uch easier basing it on encrypted-home-os. I might give it a try. >=20 > The rest LGTM! >=20 > Ludo=E2=80=99. --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --zbUG0RNWjm2gZ9bf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWf4YcACgkQL7/ufbZ/ wam8UA/8C51fp/Acc3esHi1UWRS6G8oLFdiRTWbiFYKYng3QgCzOeTuHXyuSOOE2 RDDL0NIdbgR/Y7T+O78BPucrW8+KfCIP0Wh8lBcnvT8FTSKgoAEw4teQhaz3GzBG LvASrTrl2eo1demGkdTdepTOL3/1eqAfhRKfBWRvG0teAPc8tSXpWTaiMv8V0IOk OuT7n1U7OWAFxkMy4/pAAwshws9FhTpfBXqyoNqJlVVJIPykAsN3sgtKLhSmB5l/ H13H03fubWoEWOJpwD4KJ4u88hYv1Ya/FYv1sDeD7SF0cfCjPTVHQo9FY37W5Jke MffylYFMbVYLbD/7USApx9eAYVAKxWMXjMlPf2ITXaXgUjlYFxzXi1m5SVDG3495 rbkLyQIJYf8gj8ugnPIqilNSpD0r8+sca6WyqhDQTgALdf8i5uz92OE6I7SJVTWa 4x1w2nx0O+Zf1AVDoJvzNox7vRWvxzS7HOnfjF/JVP3LOMwKUvmF9SDwsqfFwIni CWWXliJm6hFYICcLhmUZLcKh3hRfPZm//DIAAdCTpJZtk0FF47MFXAbRXJTL4Prd s7Vlkc685XBmSx7x6zv6EtXXPfDZDpl3NwyhCQkFlBGDmuh30UHfgfED92qHzRf7 hSHextVHsg/Pf3+xjaO/cHXDePdA7z4Hn3Sv+13D9weoqs8/ylM= =V8ID -----END PGP SIGNATURE----- --zbUG0RNWjm2gZ9bf-- From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 13:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170497995130735 (code B ref 65002); Thu, 11 Jan 2024 13:33:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 13:32:31 +0000 Received: from localhost ([127.0.0.1]:59060 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNvAc-0007zf-Kx for submit@debbugs.gnu.org; Thu, 11 Jan 2024 08:32:31 -0500 Received: from wolfsden.cz ([37.205.8.62]:55168) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNvAY-0007zS-Dm for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 08:32:29 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 6DDF0250746; Thu, 11 Jan 2024 13:32:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704979947; bh=mCKcRpwZ3kR3rJiVGADgbvuBjroWF19Hy12zm39qukg=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Z2FuyQYPV2TANwn9klZUdDL3ocKq4PQpvl4wOITA0xG88jAH0fSy1GbDnh9JAl1V5 4oQLZL06yE5LVk3MrEv8gtBot63htXzD8Ohb4v2fBVnSLMIUkaCLnR6uu/a1LF0UNr At6IQ+CW7ZlnTN+jSREtDCKGZgrH9oGmTIOc1ywK7bk5zVj7AeMowqbDAMAb9W8n+M 1Z89VaGD1oKl0YkMH7mi2BsL2Dpr/hbXVHbz+rBQMUN7TI2BbBlMfcGHoQP7Fb7te8 JAYXc1fdbbdw4yyBBTQOFVlY7CMbjCF4iuv+kA5YftW2V00S+fqB/MnzEmULKrqzd5 wYnAU1jAbj0MRVOo/dDTYE6iQHp3YRi3tvP7pD5vlx5TrGYBVOQ8qh7J3jcOcjybvy 8SsQu/YBV9eHipazYXyf/Qpo5/B9WEOywQijFBQlxh3sA2iRXqFp7XPH2jJBpm4RFx vcbFG3mzYeswiJUosFV98mfdhTcc3G3uobeio2xcbtQIxSGdnKLp3gf6RJM4qleLzG nAZvg/BGQfnm0eqzcK7QwBAcVOlr465FCI57RiETpiYF1LhOSps5izrmGfvZWaOrzT XgqNKlJh3qJ5tpclPI5nBhMzHquCOA9FjhC02xHW2jJjJEyIrbawtTLZFDSulPACon MjiCpX7WWcfD0J1aGCKVWKeU= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 017EC2504BC; Thu, 11 Jan 2024 13:32:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704979947; bh=mCKcRpwZ3kR3rJiVGADgbvuBjroWF19Hy12zm39qukg=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Z2FuyQYPV2TANwn9klZUdDL3ocKq4PQpvl4wOITA0xG88jAH0fSy1GbDnh9JAl1V5 4oQLZL06yE5LVk3MrEv8gtBot63htXzD8Ohb4v2fBVnSLMIUkaCLnR6uu/a1LF0UNr At6IQ+CW7ZlnTN+jSREtDCKGZgrH9oGmTIOc1ywK7bk5zVj7AeMowqbDAMAb9W8n+M 1Z89VaGD1oKl0YkMH7mi2BsL2Dpr/hbXVHbz+rBQMUN7TI2BbBlMfcGHoQP7Fb7te8 JAYXc1fdbbdw4yyBBTQOFVlY7CMbjCF4iuv+kA5YftW2V00S+fqB/MnzEmULKrqzd5 wYnAU1jAbj0MRVOo/dDTYE6iQHp3YRi3tvP7pD5vlx5TrGYBVOQ8qh7J3jcOcjybvy 8SsQu/YBV9eHipazYXyf/Qpo5/B9WEOywQijFBQlxh3sA2iRXqFp7XPH2jJBpm4RFx vcbFG3mzYeswiJUosFV98mfdhTcc3G3uobeio2xcbtQIxSGdnKLp3gf6RJM4qleLzG nAZvg/BGQfnm0eqzcK7QwBAcVOlr465FCI57RiETpiYF1LhOSps5izrmGfvZWaOrzT XgqNKlJh3qJ5tpclPI5nBhMzHquCOA9FjhC02xHW2jJjJEyIrbawtTLZFDSulPACon MjiCpX7WWcfD0J1aGCKVWKeU= Date: Thu, 11 Jan 2024 14:32:26 +0100 From: Tomas Volf <~@wolfsden.cz> Message-ID: References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> <87edeqw0h9.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8/Cu42ot2EpkfQJY" Content-Disposition: inline In-Reply-To: <87edeqw0h9.fsf@gnu.org> X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --8/Cu42ot2EpkfQJY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-01-10 00:28:18 +0100, Ludovic Court=C3=A8s wrote: > Tomas Volf skribis: >=20 > > In order to be able to provide decryption keys for the LUKS device, the= y need > > to be available in the initial ram disk. However they cannot be stored= inside > > the usual initrd, since it is stored in the store and being a > > world-readable (as files in the store are) is not a desired property fo= r a > > initrd containing decryption keys. >=20 > This explanation should go in the manual IMO (it=E2=80=99s already partly= there). Done. >=20 > > This commit adds an option to load additional initrd during the boot, > > one that is not stored inside the store and therefore can contain > > secrets. > > > > Since only grub supports encrypted /boot, only grub is modified to use = the > > extra-initrd. There is no use case for the other bootloaders. > > > > * doc/guix.texi (Bootloader Configuration): Describe the new extra-init= rd > > field. > > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration > > * gnu/bootloader/grub.scm: Use the new extra-initrd field >=20 > It=E2=80=99d be great if you could specify the entities changes in each f= ile > (which variable/procedure is changed, what is added/removed). A > committer can do it on your behalf later if you=E2=80=99re unsure. Done, this was one of my first patches and I was quite unsure about the com= mit message format. These days I am still unsure, but a little less so. ^_^ >=20 > > +@item @code{extra-initrd} (default: @code{#f}) > > +Path to an additional initrd to load. Should not point to a file in t= he >=20 > s/Path/File name/ (by convention) >=20 > Please make full sentences. =E2=80=9CShould not=E2=80=9D is probably too= strong; > perhaps: =E2=80=9CIt may or may not point to a file in the store, but the= main > use case is for out-of-store files containing secrets.=E2=80=9D For content that can be present in the store, the regular `initrd' should be used instead I think. However I adjusted the wording. >=20 > > +store. Typical use case is making keys to unlock LUKS device available >=20 > Add a line break after =E2=80=9Cstore.=E2=80=9D to distinguish the refere= nce from the > discussion of one possible use case. >=20 > > +during the boot process. For any use case not involving secrets, you > > +should use regular initrd (@pxref{operating-system Reference, > > +@code{initrd}}) instead. > > + > > +Suitable image can be created for example like this: > > + > > +@example > > +echo /key-file.bin | cpio -oH newc >/key-file.cpio > > +chmod 0000 /key-file.cpio > > +@end example > > + > > +Be careful when using this option, since pointing to a file that is not > > +readable by the grub while booting will cause the boot to fail and > > +require a manual edit of the initrd line in the grub menu. > > + > > +Currently only supported by grub. >=20 > s/grub/GRUB/ >=20 > Would be great if you could include also a short config example here, or > add a cross-reference to the example for > =E2=80=98luks-device-mapping-with-options=E2=80=99 if that covers both. I added an example illustrating how these two work together. >=20 > > + (extra-initrd bootloader-configuration-extra-initrd > > + (default #f)) ;string | #f > > + ) >=20 > No lonely paren please. :-) Well I moved the paren, but now the comment (string | #f) looks like it is = for the whole top-level sexp, not just for the extra-initrd field. >=20 > Otherwise LGTM. >=20 > Could you send updated patches with these minor changes? I will soon, just want spent a bit of time trying to make the system test f= or this. >=20 > Thanks! And thank you again for the review. Tomas --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --8/Cu42ot2EpkfQJY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWf7eoACgkQL7/ufbZ/ wamGaw/8DLbzvyuojyQGST+WL1+EuQb4pmd0+gWOS/n+S6C0TDZzra6VRGvI6o+B VrJb72ZRudt2/+kTJmIfA3Xso4FhfiUSeno4h8YttnIu4tEt+OO7kZ4pg1B78evg CfTSi1BT1z2TTI2mhw7CcNEQ4m0RbDGRmaWnlHXPuJkX1ZJ5nukae5HZVQDL1GAY BE1LvVSXmxY8uY9VXj1m01BpryqDM0muHNtp0uVghkQula6w4ryHrV+/wFtyA9gG +xTg3qW7VavFO9BhGe2mpoMf/zcTU5BaTHytv7ie/sjxbsG/Xh/+JNDb1Io/gLP7 2guPt+kL8V5b+QHKV6oad7jddSuhZQpDR/KBvJ/HHKIYGPuOBzPSV98gqf0W13yn zyz3bhBilQtejSyx49vxpODnmZIRQ5Xjc4ocjQ8Bo/KTBCFTDttHKwqZS0i+XOzn pPxd/7cigEmSyd0sufU0aK4VrBiOPXJZnb/HtUeGkFILmRY1FzEFG94iqAk02ryd 1Ve9NY8qztE8KN9S6NgCINroPSr6tFybkuLxrUV8jS2dbbjKjtN0Q7YK5+pKUD1D TXwgGGdbJWft6pih5F+tEkrMyEBr/ek1opsWKDxx8fMtRa543SmBUJ3uESzePlGu zNI0Q3OcI4/eDQrKWXIGjERPh8zt32sVjN4A8lVPBibN3/l91m8= =VCJY -----END PGP SIGNATURE----- --8/Cu42ot2EpkfQJY-- From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499435829543 (code B ref 65002); Thu, 11 Jan 2024 17:33:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:38 +0000 Received: from localhost ([127.0.0.1]:33741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyuy-0007g6-FS for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:37 -0500 Received: from wolfsden.cz ([37.205.8.62]:45632) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuu-0007fj-Pk for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:35 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id A2AF02506C2; Thu, 11 Jan 2024 17:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994353; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Xbo2Whn5VS3vRLwTQUT9a06X1ZTqu0Bk0xKkG7X4w0xBwY43LqLoIZlf0N9plPB21 WCP+ykO5iaIRDl3kcodjbdqnki99NXTDirzNgq2+PNZ/hm9eiUB7zjx9jCf5snM5U5 XN/I6zkcYpvpZGQCEhan4nnbJpsyZkYQysieWqHniS1pl4/oBm0rVD4dVA7815UkOr WSKJgaj0vgufuabUTKtAJdszpnlTOel1uBPW/JWaeUj55BE4j8irEJygBEFoLbBExe rTXDXGsh92FB4LZTqtgsIIQN5niv5wPyfdpYq7BaULdTTxUTq9XB2c60TrIogDqqpp TpcQIdY9F0V7uGL9A52EbnpwXAFP/kUXPUiJfUmz2xJBbn2EsfuGn60A/cbVFD1+gA hoZFYQ/x4Tq0iIk4nbVfUejN8NBKB+7Oa+QYBhvyrcOYzdtr5amIXpXw/3pf8HCRot 1ZKHQ+IYdhh0mHemuBdknPUaHZ4VKOyzdyZN02B50lVM5SXXuK7IWleWFH+pZsrsNO l6TtlDHFc+egKbkrpt1NigNymX5DBmeCYfiCF7l+1VY3U+E8dlr9yxE8xSlpTlGWwc NqnyXBtb8nZSePlasrcmp23Rh2cM/X6NLbocjV7814fCFdIP58BzuLooooy7u6cW8m Ck5E/RSUmKCAGBtklYwl7rQE= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 20FA8250562; Thu, 11 Jan 2024 17:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994353; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Xbo2Whn5VS3vRLwTQUT9a06X1ZTqu0Bk0xKkG7X4w0xBwY43LqLoIZlf0N9plPB21 WCP+ykO5iaIRDl3kcodjbdqnki99NXTDirzNgq2+PNZ/hm9eiUB7zjx9jCf5snM5U5 XN/I6zkcYpvpZGQCEhan4nnbJpsyZkYQysieWqHniS1pl4/oBm0rVD4dVA7815UkOr WSKJgaj0vgufuabUTKtAJdszpnlTOel1uBPW/JWaeUj55BE4j8irEJygBEFoLbBExe rTXDXGsh92FB4LZTqtgsIIQN5niv5wPyfdpYq7BaULdTTxUTq9XB2c60TrIogDqqpp TpcQIdY9F0V7uGL9A52EbnpwXAFP/kUXPUiJfUmz2xJBbn2EsfuGn60A/cbVFD1+gA hoZFYQ/x4Tq0iIk4nbVfUejN8NBKB+7Oa+QYBhvyrcOYzdtr5amIXpXw/3pf8HCRot 1ZKHQ+IYdhh0mHemuBdknPUaHZ4VKOyzdyZN02B50lVM5SXXuK7IWleWFH+pZsrsNO l6TtlDHFc+egKbkrpt1NigNymX5DBmeCYfiCF7l+1VY3U+E8dlr9yxE8xSlpTlGWwc NqnyXBtb8nZSePlasrcmp23Rh2cM/X6NLbocjV7814fCFdIP58BzuLooooy7u6cW8m Ck5E/RSUmKCAGBtklYwl7rQE= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:12 +0100 Message-ID: <1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994323.git.~@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Tomas Volf In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm (): Add extra-initrd field. * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd field. --- doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++ gnu/bootloader.scm | 6 ++++- gnu/bootloader/grub.scm | 7 ++++-- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1202f2182..87d41e0aae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41070,6 +41070,55 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +File name of an additional initrd to load during the boot. It may or +may not point to a file in the store, but the main use case is for +out-of-store files containing secrets. + +In order to be able to provide decryption keys for the LUKS device, they +need to be available in the initial ram disk. However they cannot be +stored inside the usual initrd, since it is stored in the store and +being a world-readable (as files in the store are) is not a desired +property for a initrd containing decryption keys. You can therefore use +this field to instruct GRUB to also load a manually created initrd not +stored in the store. + +For any use case not involving secrets, you should use regular initrd +(@pxref{operating-system Reference, @code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +After it is created, you can use it in this manner: + +@lisp +;; Operating system with encrypted boot partition +(operating-system + ... + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Load the initrd with a key file + (extra-initrd "/key-file.cpio"))) + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "my-root") + (type (luks-device-mapping-with-options + ;; And use it to unlock the root device + #:key-file "/key-file.bin")))))) +@end lisp + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by GRUB. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index ba06de7618..f32e90e79d 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2022 Josselin Poiret ;;; Copyright © 2022 Reza Alizadeh Majd +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +281,9 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f))) ;string | #f (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..2723eda5f4 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020 Stefan ;;; Copyright © 2022 Karl Hallsby ;;; Copyright © 2022 Denis 'GNUtoo' Carikli +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436129554 (code B ref 65002); Thu, 11 Jan 2024 17:33:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:41 +0000 Received: from localhost ([127.0.0.1]:33746 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyv2-0007gb-Vr for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:41 -0500 Received: from wolfsden.cz ([37.205.8.62]:45634) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuu-0007fl-Pm for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:36 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 68F14250C85; Thu, 11 Jan 2024 17:32:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994354; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=QuY3IeLSJaIABBpxxEJ00BtxiUlejNpIxuivUlfZ8KOJt5FHeXq61ha+0bLk5dp8L mwo2ZaUP7aQXWb0Fxf34W+6pmoOX1cj/sIxxqtOO8CHU90K3e28Im3EPWNM3gLZKmE rEU8LhUnO9+QPBVHseqs8SNyoqPeCpkyl1GUeT/Uvi1oH0QMJP5wd2D3fff6+6CizP q/ylHgOIrCImVf1f0Z2iHdj/CpeTRZlE5xOaImuJi5PV+SeCrPgYGlDEKNdNnI8YF3 cnDQw0cV4fY/TGng1pUdZK6zyIFWcwb01j3Q0dGmXCYYS9Ob7VcIeSNOP1DQfICnE7 LM4wpzHrx2lbXvYC+hxHylsJoDw0QLF2Q8P4mVPA+UvLyKiUfhM5l+PcRRAOLsjRU9 oGjyCCy4uB2caFyvw2KmPfomv0o4GnaFVbNRenZjSy6uNok+jd5A31Sth1olm4lqUM dXLD2njDNL56d5ADWSl6V++aa1Z9zcok0KzThdOVEyvd+Cy+xVIFBDdZYkpUbrfP89 QWMK9iP+ngYr9HCmk2i8ayOajDxv8mljdR2w0RmYRiOmPzmhUADvshEvAFioddjFQ+ 8m6MXmqTnHwSJCfAG5jW6hnLHTbPS524eXxInriWHeFvAOJCNfALwW8NaLP/KY4L39 qHknya3ge8Se9ehFhKy9HxJM= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id F3A372503AE; Thu, 11 Jan 2024 17:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994354; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=QuY3IeLSJaIABBpxxEJ00BtxiUlejNpIxuivUlfZ8KOJt5FHeXq61ha+0bLk5dp8L mwo2ZaUP7aQXWb0Fxf34W+6pmoOX1cj/sIxxqtOO8CHU90K3e28Im3EPWNM3gLZKmE rEU8LhUnO9+QPBVHseqs8SNyoqPeCpkyl1GUeT/Uvi1oH0QMJP5wd2D3fff6+6CizP q/ylHgOIrCImVf1f0Z2iHdj/CpeTRZlE5xOaImuJi5PV+SeCrPgYGlDEKNdNnI8YF3 cnDQw0cV4fY/TGng1pUdZK6zyIFWcwb01j3Q0dGmXCYYS9Ob7VcIeSNOP1DQfICnE7 LM4wpzHrx2lbXvYC+hxHylsJoDw0QLF2Q8P4mVPA+UvLyKiUfhM5l+PcRRAOLsjRU9 oGjyCCy4uB2caFyvw2KmPfomv0o4GnaFVbNRenZjSy6uNok+jd5A31Sth1olm4lqUM dXLD2njDNL56d5ADWSl6V++aa1Z9zcok0KzThdOVEyvd+Cy+xVIFBDdZYkpUbrfP89 QWMK9iP+ngYr9HCmk2i8ayOajDxv8mljdR2w0RmYRiOmPzmhUADvshEvAFioddjFQ+ 8m6MXmqTnHwSJCfAG5jW6hnLHTbPS524eXxInriWHeFvAOJCNfALwW8NaLP/KY4L39 qHknya3ge8Se9ehFhKy9HxJM= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:13 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Based on encrypted-home-os, this test verifies unlocking via a key file. * gnu/tests/install.scm (%encrypted-home-os-key-file), (%encrypted-home-os-key-file-source): New variables. (%test-encrypted-home-os-key-file): New exported variables. (%encrypted-home-installation-script): Generate initrd with a key file for unlocking the LUKS. Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636 --- gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index daa4647299..6794bca145 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -35,6 +35,7 @@ (define-module (gnu tests install) #:use-module (gnu packages admin) #:use-module (gnu packages bootloaders) #:use-module (gnu packages commencement) ;for 'guile-final' + #:use-module (gnu packages cpio) #:use-module (gnu packages cryptsetup) #:use-module (gnu packages disk) #:use-module (gnu packages emacs) @@ -67,6 +68,7 @@ (define-module (gnu tests install) %test-raid-root-os %test-encrypted-root-os %test-encrypted-home-os + %test-encrypted-home-os-key-file %test-encrypted-root-not-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os @@ -975,6 +977,18 @@ (define %encrypted-home-installation-script mkfs.ext4 -L root-fs /dev/vdb2 mkfs.ext4 -L home-fs /dev/mapper/the-home-device mount /dev/vdb2 /mnt + +# This script is used for both encrypted-home-os and encrypted-home-os-key-file +# tests. So we also add the keyfile here. +dd if=/dev/zero of=/key-file.bin bs=4096 count=1 +( cd /mnt; + echo /key-file.bin | cpio -oH newc > key-file.cpio + chmod 0000 key-file.cpio + mv /key-file.bin . +) +echo -n " %luks-passphrase " | \\ + cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin + mkdir /mnt/home mount /dev/mapper/the-home-device /mnt/home df -h /mnt /mnt/home @@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os (mlet* %store-monad ((images (run-install %encrypted-home-os %encrypted-home-os-source #:script - %encrypted-home-installation-script)) + %encrypted-home-installation-script + #:packages (list cpio))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) + +;;; +;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key +;;; file. +;;; +(define-os-with-source (%encrypted-home-os-key-file + %encrypted-home-os-key-file-source) + (use-modules (gnu) (gnu tests)) + + (operating-system + (host-name "cipherhome") + (timezone "Europe/Prague") + (locale "en_US.utf8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets (list "/dev/vdb")) + (extra-initrd "/key-file.cpio"))) + (kernel-arguments '("console=ttyS0")) + + (mapped-devices (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "the-home-device") + (type (luks-device-mapping-with-options + #:key-file "/key-file.bin"))))) + (file-systems (cons* (file-system + (device (file-system-label "root-fs")) + (mount-point "/") + (type "ext4")) + (file-system + (device (file-system-label "home-fs")) + (mount-point "/home") + (type "ext4") + (dependencies mapped-devices)) + %base-file-systems)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %test-encrypted-home-os-key-file + (system-test + (name "encrypted-home-os-key-file") + (description + "Test functionality of an OS installed with a LUKS /home partition with +unlock done using a key file") + (value + (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file + %encrypted-home-os-key-file-source + #:script + %encrypted-home-installation-script + #:packages (list cpio))) + (command (qemu-command* images))) + (run-basic-test %encrypted-home-os-key-file + command "encrypted-home-os-key-file"))))) + ;;; ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436129562 (code B ref 65002); Thu, 11 Jan 2024 17:33:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:41 +0000 Received: from localhost ([127.0.0.1]:33748 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyv3-0007gd-Db for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:41 -0500 Received: from wolfsden.cz ([37.205.8.62]:45658) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuw-0007fo-34 for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:36 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id F181D250A91; Thu, 11 Jan 2024 17:32:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994355; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Xl7Z+ikmBkwa9dI7LBpWkPLvK2R9vgIfXeGZHKIIsxZkCx/aAbWmwKEyGlEzH8Ieq 1HV+75CiCZliu49RBLVXk+xz5WuTidjDF1WjRQZ833mO4/FdgbSa16KR/sq9k16VGO gUJANorwqhsdz2tAbQwgEfUc/KrsgNeYF6FBtCbayGRUIEmyPfBOIZ2FhFXF1+LCt/ MnkqSn+WcEsPjiZ+hzpQioQFKtRKF5U8LlOFtg0Nss6ouzJPrP3zQHNY1r1NmbOMbU mF+VXgp5ILavTpjxJTXwABXLKSJ4uFzy10DyxVQw84d+FCmJGrVPcfT7v0zbc0K98y reaXzpLll83hv9cfk0pNbpW2D07iNb/w2Brb8lqHrVCWRObJwOn0hn0ntVJff221Ec 9Q7394bpb7GKfTCw+9JeoryDr6Wa6FE6LQ+eHJrgkK6/4Kn6JPkLJvBgvMAYJpoO0Q gInjrxjQp1GFIa8euDyCiTV1r/cttPsTksan4cSvS8jJjNodyOnGDEuqj701EV2MUL uxTcMKqqIe2MBeamlsxtrUaHuTUDhwTboX3Mtv2PZV6u/kQVDDMf5VHY661kbb5DKR rnQAnVHuww7P55+XJCqeNqOXIWkTOYxGZW7jXfGnhOOILGDcNw1ScPc/zk9Ze7ODQx cBgjEbmEVo/jmmANeAwenkVM= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id A14F224FBCA; Thu, 11 Jan 2024 17:32:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994355; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Xl7Z+ikmBkwa9dI7LBpWkPLvK2R9vgIfXeGZHKIIsxZkCx/aAbWmwKEyGlEzH8Ieq 1HV+75CiCZliu49RBLVXk+xz5WuTidjDF1WjRQZ833mO4/FdgbSa16KR/sq9k16VGO gUJANorwqhsdz2tAbQwgEfUc/KrsgNeYF6FBtCbayGRUIEmyPfBOIZ2FhFXF1+LCt/ MnkqSn+WcEsPjiZ+hzpQioQFKtRKF5U8LlOFtg0Nss6ouzJPrP3zQHNY1r1NmbOMbU mF+VXgp5ILavTpjxJTXwABXLKSJ4uFzy10DyxVQw84d+FCmJGrVPcfT7v0zbc0K98y reaXzpLll83hv9cfk0pNbpW2D07iNb/w2Brb8lqHrVCWRObJwOn0hn0ntVJff221Ec 9Q7394bpb7GKfTCw+9JeoryDr6Wa6FE6LQ+eHJrgkK6/4Kn6JPkLJvBgvMAYJpoO0Q gInjrxjQp1GFIa8euDyCiTV1r/cttPsTksan4cSvS8jJjNodyOnGDEuqj701EV2MUL uxTcMKqqIe2MBeamlsxtrUaHuTUDhwTboX3Mtv2PZV6u/kQVDDMf5VHY661kbb5DKR rnQAnVHuww7P55+XJCqeNqOXIWkTOYxGZW7jXfGnhOOILGDcNw1ScPc/zk9Ze7ODQx cBgjEbmEVo/jmmANeAwenkVM= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:15 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843 --- gnu/tests/install.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index c5243f2ed9..f553eeaa3e 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -751,7 +751,7 @@ (define %encrypted-root-installation-script ls -l /run/current-system/gc-roots parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ + mkpart primary ext2 3M 2G \\ set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436229569 (code B ref 65002); Thu, 11 Jan 2024 17:33:04 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:42 +0000 Received: from localhost ([127.0.0.1]:33750 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyv3-0007gk-Pg for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:42 -0500 Received: from wolfsden.cz ([37.205.8.62]:45650) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuv-0007fn-BD for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:37 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 3B3D5250E80; Thu, 11 Jan 2024 17:32:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994355; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=adslW5eu9GyogOr4HGLXsL/bAgUz4dF/OlEj5ysjTV/Iuwv+hKXm8dEK/QLfP0bDU e3RRGuaKy34aSzmU7s9sVUDRoR8zJyZ18RkfgbvxH1Q+CtV4FBvi10OjYhGPx4R+JJ 3CdjEZd3I2kHRckpHoU7cgqgAk9JJme/vW9k7xkYV2nz+DBwinD7WafVzOKrqO+Btp 6NYFs+7UZEPRuRTJdxW1oZroGlkHoTEf9wtJDD+yNXrl+J4djluCZP2hx3MBXrulq/ MZiuDXMeW4Ycg9GcgTdKORkK0Kmq4FYUg7RG8m0wf1wnCRtbgpSfhy67c/yAjf076B IvczGGNEsVAakhSw4rviRiRMiN34SNksA8rVXnYl2rUOCUgzTLNy0zNOJy2Ox33hmx vDzWkKG+fKt7QD6pF29w0nk9cw7MyU5E/+84Q97RdoEtoAnwqzdNAj92HHUIQNxwbd ziM0GySZGhaXGC1CADCRNZauyvQ9n7kiUhVfet3i4eq/I+CgocFXyNdySRQIUtomGj U8BWowHy9LhjE9y/2fs3/vjFbEBLQ0fPlUDVP1URbXhz1H9b3+Mo81GCl9IrARjjuH yrS0zAEl+TqO1WRBRNwmo2lgocUu9NkKAs/qQ8yBKh+GAwCwhVfhGuU7hnS/1LxUcr pAOmT5UuC7yzyQcL6ppTNQSU= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id C96A6250172; Thu, 11 Jan 2024 17:32:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994354; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=LPR2zbrC7FdRPjE8x1jPsCiFxy7euWWg0wdxAuy2zKACQXHHIFFEfKvQCkol8tX9/ 45l5I5ByAOeQWwWRR/d8PixZYFlAZCoLX6BupjY4RL5s/4oD1OIte4MN4DHbdjmMbF DIXk6NGYELoPv0F7ZAzJ6ocy4ip8YER/Orar0JyoRtYWinkCMfUCu1r3ZKfPVh6rAH HlQDe9s0TRG/LSQ2WOL9Y2RdRUSisGbUvq0JGXgfAssew46fsw/4A7R/JlHA8iEJgo 5LkwQHm9+uTW6lUhUWnLD24imWM2enHiK7xDB25tWpZhq+DzAC5DHvx3dAHOHurM4u lmDhMIX/lPlTJkFJxe02PmbHPXCWhn2FI16i51WpgWjx+RLUTvkEUysYmpJUyxTNYb x88Kb3pp4npsqKMDxFvGVSKVpJnNlO1mw+rhG7V+X3gnCUL4RGIRjiPYESQ/poOVdi IzQdeeJlYbVHpHqH6lyPVgB3msjLC7yUxkzFAJw0mywv4nnxV69iWIUdMRQBTg5UdO +dJ9Ndw1DOnihF8yO5s3C5Y9EaftkO1jYHJO8owdNmbSMfio1jS+F5K+qNHmIDQGO5 QDrt405eM7j16l5h1i871tHgd/tV83CM/IzukavYWl+nOBgDsdKGZPrC8N7Nq+F06g zK9/m3hD/PlR3OwDex+iBPAI= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:14 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) For testing that installation works, there is no need to spent 2000ms (the default) iterating while generating the encryption key. This commit therefore sets the iteration time to the lowest possible value, 1(ms). * gnu/tests/install.scm (%encrypted-root-installation-script): (%encrypted-home-installation-script): (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat invocation. Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc --- gnu/tests/install.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 6794bca145..c5243f2ed9 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -755,7 +755,7 @@ (define %encrypted-root-installation-script set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device mkfs.ext4 -L my-root /dev/mapper/the-root-device @@ -970,7 +970,7 @@ (define %encrypted-home-installation-script set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device @@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script mkpart primary ext2 50M 1.6G \\ set 1 boot on \\ set 1 bios_grub on -echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 - echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root mkfs.ext4 -L my-root /dev/mapper/root mkfs.ext4 -L my-boot /dev/vdb2 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by a key file. References: In-Reply-To: Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436329576 (code B ref 65002); Thu, 11 Jan 2024 17:33:04 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:43 +0000 Received: from localhost ([127.0.0.1]:33752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyv4-0007gs-6J for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:42 -0500 Received: from wolfsden.cz ([37.205.8.62]:45618) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuu-0007fg-UX for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:37 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id E0E632507AC; Thu, 11 Jan 2024 17:32:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994352; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=x4YhaYR4fc5DmzpHWgQ8b33oLDjuXrgzkMJeSVGWo7aMwCZyrGnp6cEbVFghOQA2w At03KRTv4UD3WAuNNbrOUUji+NTmH1w1KxbtEiIC7ug1L+mDP11jJcRL9asGkeFYJl v7zsxz/pZSQUXI04OEEPvf/thHxR2/zHRpAhtO4SC5uRLP0eB3v6HTKSkF62Aov4b2 moelnFQ/8bf7pTogtHXZYHgTL3ovLcOx1SBX+KDSf7mrVv7F/JvsoJVXOB8Zmu5BBe h7MvZ52+N8HKsmxCtFxmhPsY6uHrOFC9pKFsPmn5GyViXAMOjKS9txiOo4MRjU+5Dl asSoUPdxTlGvDsKx2p6mzQdL62v3/mDMe97Ma2NDx71NYqDnN+01Di2ayzIZfnh4Iy cuEyLASQcuYnjJB9HQaF6tNI+eC30Aa9HIwAkYaKdM7JI9qhqy3uJL/QT+o9av2qpH L5yDAkfOjP6awZ5t4HkFBINxfKYq8s+mV6le89Ilw6lqviAJ8dZefz1HUkMGQv6flO /M61C+jkE5mrdgeTboXsmEYOOTcAnJ5WG9rcG2pwGF1G7CiwpnN9bm6RYASmEAv2rL jrlsPBs+guZO1Tx022zR0l3ONAcCTyzJ6hQn0aQb+rZHQrfe3PaBUBiRNTVYsr2ZAT Rtkus+n0rp6Tgem22bXO2/KA= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 4722724FBC8; Thu, 11 Jan 2024 17:32:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994352; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=x4YhaYR4fc5DmzpHWgQ8b33oLDjuXrgzkMJeSVGWo7aMwCZyrGnp6cEbVFghOQA2w At03KRTv4UD3WAuNNbrOUUji+NTmH1w1KxbtEiIC7ug1L+mDP11jJcRL9asGkeFYJl v7zsxz/pZSQUXI04OEEPvf/thHxR2/zHRpAhtO4SC5uRLP0eB3v6HTKSkF62Aov4b2 moelnFQ/8bf7pTogtHXZYHgTL3ovLcOx1SBX+KDSf7mrVv7F/JvsoJVXOB8Zmu5BBe h7MvZ52+N8HKsmxCtFxmhPsY6uHrOFC9pKFsPmn5GyViXAMOjKS9txiOo4MRjU+5Dl asSoUPdxTlGvDsKx2p6mzQdL62v3/mDMe97Ma2NDx71NYqDnN+01Di2ayzIZfnh4Iy cuEyLASQcuYnjJB9HQaF6tNI+eC30Aa9HIwAkYaKdM7JI9qhqy3uJL/QT+o9av2qpH L5yDAkfOjP6awZ5t4HkFBINxfKYq8s+mV6le89Ilw6lqviAJ8dZefz1HUkMGQv6flO /M61C+jkE5mrdgeTboXsmEYOOTcAnJ5WG9rcG2pwGF1G7CiwpnN9bm6RYASmEAv2rL jrlsPBs+guZO1Tx022zR0l3ONAcCTyzJ6hQn0aQb+rZHQrfe3PaBUBiRNTVYsr2ZAT Rtkus+n0rp6Tgem22bXO2/KA= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:11 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Tomas Volf Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument. (luks-device-mapping-with-options): New procedure. * doc/guix.texi (Mapped Devices): Describe the new procedure. Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4 --- doc/guix.texi | 25 +++++++++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 67 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 395545bed7..b1202f2182 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* +Copyright @copyright{} 2023 Tomas Volf@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -17992,6 +17993,30 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. This has an advantage of not requiring a password entry, so +it can be used (for example) to unlock RAID arrays automatically on +boot. If key file unlock fails, password unlock is attempted as well. +Key file is not stored in the store and needs to be available at the +given location at the time of the unlock attempt. + +@lisp +;; Following definition would be equivalent to running: +;; cryptsetup open --key-file /crypto.key /dev/sdb1 data +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:key-file "/crypto.key"))) +@end lisp +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..c19a818453 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:33:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436329584 (code B ref 65002); Thu, 11 Jan 2024 17:33:05 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:43 +0000 Received: from localhost ([127.0.0.1]:33754 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyv4-0007gz-RL for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:43 -0500 Received: from wolfsden.cz ([37.205.8.62]:45670) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyuy-0007fz-G0 for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:37 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id BC72424E78E; Thu, 11 Jan 2024 17:32:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994356; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=L1521DcskwzLN1WkgD4qgvke6pKCKCFW4h4AMEEQNa3W6ohGZja3zaHeBEd1Ij8Ve EBu2lc1pS7Pu8AZjwN+pnZyNUp6JhBS81VhVXvGQjZgBdat+zEsxIuzf8q+i9qYUqT bs1kJ2fLBmNz5GdIEtbgtnAQh3fLGTu2ss0Qq90Oy+vdYkYO4Gq51za5YYBd5GqQWv x1KLgy82I/R7Aagzf2E4LnfxTw9GaNIThfx74ZC5saZ2OYM07acVba5jSfjjaW32WO bbE9lipKu4eQ9ktIqzzxVOhN8Aw/57y30BtBIGoOb8drxY3GLalYyEWArxijqJs/XY SfmngO3vLTYFmnT4ma6jt9avRwlWpg6F5HtB4VWfWFMlyjD/KEytOoykXKRylKyh/i tSChWy4AovrKdQvT57Vq7+WWthRwxIT1oRQ/4m/hrSRG3n09/LoeALsBsdcuMSasjm fyYYOSA2Pu9XeIypUnu7vkOOpYhRSj3JTHjpnUTsfTn8FPl5YWErysV8drf8i9S7kw 9ghu4kBPgiLjlxeZ04GmVOFnrV3d3jbRWs1xr6xoVQfsPSOdeHkUgAK/++lxJnvGkp rpTLgxBA30MvqcwGfo91JmjtWCZqu9nD6CVhwLm2MbSBwijAoVBNnZNKHdHGNpbHPl qYi+HU2ckoyagy8Abxbqwsxk= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 6995024F5C1; Thu, 11 Jan 2024 17:32:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994356; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=L1521DcskwzLN1WkgD4qgvke6pKCKCFW4h4AMEEQNa3W6ohGZja3zaHeBEd1Ij8Ve EBu2lc1pS7Pu8AZjwN+pnZyNUp6JhBS81VhVXvGQjZgBdat+zEsxIuzf8q+i9qYUqT bs1kJ2fLBmNz5GdIEtbgtnAQh3fLGTu2ss0Qq90Oy+vdYkYO4Gq51za5YYBd5GqQWv x1KLgy82I/R7Aagzf2E4LnfxTw9GaNIThfx74ZC5saZ2OYM07acVba5jSfjjaW32WO bbE9lipKu4eQ9ktIqzzxVOhN8Aw/57y30BtBIGoOb8drxY3GLalYyEWArxijqJs/XY SfmngO3vLTYFmnT4ma6jt9avRwlWpg6F5HtB4VWfWFMlyjD/KEytOoykXKRylKyh/i tSChWy4AovrKdQvT57Vq7+WWthRwxIT1oRQ/4m/hrSRG3n09/LoeALsBsdcuMSasjm fyYYOSA2Pu9XeIypUnu7vkOOpYhRSj3JTHjpnUTsfTn8FPl5YWErysV8drf8i9S7kw 9ghu4kBPgiLjlxeZ04GmVOFnrV3d3jbRWs1xr6xoVQfsPSOdeHkUgAK/++lxJnvGkp rpTLgxBA30MvqcwGfo91JmjtWCZqu9nD6CVhwLm2MbSBwijAoVBNnZNKHdHGNpbHPl qYi+HU2ckoyagy8Abxbqwsxk= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:32:16 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. (%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the target size to 3G to accommodate for the larger root partition. Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360 --- gnu/tests/install.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index f553eeaa3e..f9e766e532 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -964,8 +964,8 @@ (define %encrypted-home-installation-script export GUIX_BUILD_OPTIONS=--no-grafts parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ - mkpart primary 1.6G 2.0G \\ + mkpart primary ext2 3M 2G \\ + mkpart primary 2G 2.4G \\ set 1 boot on \\ set 1 bios_grub on @@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os %encrypted-home-os-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) @@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file %encrypted-home-os-key-file-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os-key-file command "encrypted-home-os-key-file"))))) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file. References: In-Reply-To: Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499455629988 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:35:56 +0000 Received: from localhost ([127.0.0.1]:33786 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyB-0007nb-Ol for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:56 -0500 Received: from wolfsden.cz ([37.205.8.62]:49792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007me-3w for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:51 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 0891F2502A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=WJjDmbiBzzUPgDXQxcJdKi+Dny3O1pPDPN+SnlwS+C87yviP0oTBjvh0Nsbsun5qn emKgysAVFf03M4044kGw3iXsPGE2w/9s1apegXWUr+vL6ubcxxJdzntGEx0G+sGoWs pxcAYlb7bbbkcqjorqU6Khe1arZT8vVN3S+Ks73hPieqc/iPkxuz9E4sFvL5vEtATl CR+xc1HBrB1hGNbqxYgHA4W5qfU3THhzHBmE5Vqkr5kl5MHfyUzG9kIbpvwXtzBuO1 rgjbmU+4rdR+MunsUM4BRFDwYn3xXdUdjBYIlqDnURQaJMoAoo9pofJN44cruenMxl cAP7Mwzc4AWU/BNoR3RcEWfPfyjVw/rnFQNOoXwUQVOeixTn+Rxjh7dTwic0wJFsBO 2s235sJGz04wVBJdtGEdfgM/bPTnuoSe8Rr6In9TdqC7chfmoL+w+thW6bZh7AEV30 KbqGAlGYvVx2F9zPD1z/nWk4b6RDpSI3jgTeIlxH/NIn+dkR208GpFbt2d24YjJHn7 2vne5NUfCH1wX00BBP+hfPQuE4eGG0XgPgKcJJTMGC9kJVgdjvsvypgn9CV7iBzEOa jiaAeXBh88RNbs+MKpf7oMjIZd4lpcjODd7iiCgd2wtmQ4bGGoUbKf5BK05W4EV9va rOellMOkcBiDquBKdqhgwTRA= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 676C72508A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994550; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=M/wLcrFBdIM5yCCABIetd1GkXv6Jr0zMiBU3tJyyDpYpxtOb3S+FxY3ml7kUi5j5r 9Kwqr5jODhtnB5MEJfb2FN0mXHZ0tKHhEw9W3HVlx353PgUWmRQj1eKVJAzLKiiFjV gKpxuZrcwDdJ1h4whamrYnHALFqD5YyOx6pt4uWbQr8sh53dZqcHRruIKMaDQn1EnB JR8LsRIQwpv5WyoD6mYGMzQVKuDM/zzrVMMfhk5RO2CsJdbPM3qPQ0UZnn5xDSLJQg 9GDVm5KKV5hBaOHQ2HSqU+MnI65H8tGchI893jtAXWWLIPRHiOv/wr+3/oTPI2MQG1 CyX8X4yQzzoqUgwVs1QIMsrldTVKIPOc5qB1V7XnAVZNpKwo6Zt5Fxer1DJbJmdi7T /lVSbtnMIbYgJnT25bBF8pzVarXPPJayIyVNJ1/YH8ESlN5OlN7XS6vNRkm4/fR9kM 3+FGE6QmrrVBScCGPqekK8syEr9NASJFTMpQwBFJp941Zz0JrrzA65XfY9iPpKlKU1 rF8hPuSWbGXzTtL9htU2R0evCdnX3+zfz5iTELSLQOu5+v6n60MdGn/tITAc9HZZNW 6Q81627WCg+e2CYo3JVMOX9LgOlmq1FxdWe9tIIzPIM8cDLM0ngXiFwfzTZjfhQxsZ yL+VtRLudFtLdnQ0tCONRc08= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:39 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Tomas Volf Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument. (luks-device-mapping-with-options): New procedure. * doc/guix.texi (Mapped Devices): Describe the new procedure. Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4 --- doc/guix.texi | 25 +++++++++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 67 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 395545bed7..b1202f2182 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* +Copyright @copyright{} 2023 Tomas Volf@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -17992,6 +17993,30 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. This has an advantage of not requiring a password entry, so +it can be used (for example) to unlock RAID arrays automatically on +boot. If key file unlock fails, password unlock is attempted as well. +Key file is not stored in the store and needs to be available at the +given location at the time of the unlock attempt. + +@lisp +;; Following definition would be equivalent to running: +;; cryptsetup open --key-file /crypto.key /dev/sdb1 data +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:key-file "/crypto.key"))) +@end lisp +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..c19a818453 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456030002 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:00 +0000 Received: from localhost ([127.0.0.1]:33788 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyF-0007no-Ca for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49794) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007mg-3s for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id CD83825082E; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 4B38624F361; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:40 +0100 Message-ID: <1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994535.git.~@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Tomas Volf In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm (): Add extra-initrd field. * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd field. --- doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++ gnu/bootloader.scm | 6 ++++- gnu/bootloader/grub.scm | 7 ++++-- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1202f2182..87d41e0aae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41070,6 +41070,55 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +File name of an additional initrd to load during the boot. It may or +may not point to a file in the store, but the main use case is for +out-of-store files containing secrets. + +In order to be able to provide decryption keys for the LUKS device, they +need to be available in the initial ram disk. However they cannot be +stored inside the usual initrd, since it is stored in the store and +being a world-readable (as files in the store are) is not a desired +property for a initrd containing decryption keys. You can therefore use +this field to instruct GRUB to also load a manually created initrd not +stored in the store. + +For any use case not involving secrets, you should use regular initrd +(@pxref{operating-system Reference, @code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +After it is created, you can use it in this manner: + +@lisp +;; Operating system with encrypted boot partition +(operating-system + ... + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Load the initrd with a key file + (extra-initrd "/key-file.cpio"))) + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "my-root") + (type (luks-device-mapping-with-options + ;; And use it to unlock the root device + #:key-file "/key-file.bin")))))) +@end lisp + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by GRUB. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index ba06de7618..f32e90e79d 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2022 Josselin Poiret ;;; Copyright © 2022 Reza Alizadeh Majd +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +281,9 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f))) ;string | #f (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..2723eda5f4 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020 Stefan ;;; Copyright © 2022 Karl Hallsby ;;; Copyright © 2022 Denis 'GNUtoo' Carikli +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456030009 (code B ref 65002); Thu, 11 Jan 2024 17:36:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:00 +0000 Received: from localhost ([127.0.0.1]:33790 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyG-0007nr-2e for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49808) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007mn-Qf for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id AC35625014F; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994552; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=qypg+/w3kAg3QCX1NZSjsHFD5uer3nnyELgx9QJ949cm6friju/r0DCPteMK5SqXP tEk2SIvLUyWbaFSl6h8+/Cb6JuH5agRxRtMprr+7Vr4uhcbNulzlSr/lwe5bU6RlhW RGYyuLYk+CWLC7X8LdT8ueaaRlb5hj/RcJ5MNq3Je8WERqb3O8uZZv5n/xfxz1yzfi rseGonDoRbV3b+NWIRex9+08NAsMmP9lltjYzK21w/TDY0rx5hVTT2PagFds6wtKNa nAsspmQBXM343d6EFtbIQXjdXV/1lOn/7csuwVfEEoMko4ove6RHrs3f9ZuAiLI/La 1Y8QbuR1iFKVJw89hSwJkevEfNrKXECXFJ4Kyo9EeOs7wX7Ih/FAw2H2pN3jL1nsfg 282YET8ogRpKTbeysoj6JQs5R8HNXNX8klnb7u3x2IuvkGQw6ysZRbcDOXtSbhLUsZ jFtdky9TqwIw1/fawZQoaufiF8I0n/5zLrb1bWcn+kIPrNNHrPge9JnE8nmFosmabc +2u+9Alni8kDQJ3cAJtBh4gM4Ig8cHKzZNDXStaXUUHJlas5v0w5tlTt+3UAzqOApG Ee1EqU1HYvbPLkxIdphXrKGaLrQqqd2VktqPufq4nJ35caRAi83sooIJXaRvlzn8cC 4jJq/pwNUOrq2BmCA6KhDCvs= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 2586D24F262; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994552; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=qypg+/w3kAg3QCX1NZSjsHFD5uer3nnyELgx9QJ949cm6friju/r0DCPteMK5SqXP tEk2SIvLUyWbaFSl6h8+/Cb6JuH5agRxRtMprr+7Vr4uhcbNulzlSr/lwe5bU6RlhW RGYyuLYk+CWLC7X8LdT8ueaaRlb5hj/RcJ5MNq3Je8WERqb3O8uZZv5n/xfxz1yzfi rseGonDoRbV3b+NWIRex9+08NAsMmP9lltjYzK21w/TDY0rx5hVTT2PagFds6wtKNa nAsspmQBXM343d6EFtbIQXjdXV/1lOn/7csuwVfEEoMko4ove6RHrs3f9ZuAiLI/La 1Y8QbuR1iFKVJw89hSwJkevEfNrKXECXFJ4Kyo9EeOs7wX7Ih/FAw2H2pN3jL1nsfg 282YET8ogRpKTbeysoj6JQs5R8HNXNX8klnb7u3x2IuvkGQw6ysZRbcDOXtSbhLUsZ jFtdky9TqwIw1/fawZQoaufiF8I0n/5zLrb1bWcn+kIPrNNHrPge9JnE8nmFosmabc +2u+9Alni8kDQJ3cAJtBh4gM4Ig8cHKzZNDXStaXUUHJlas5v0w5tlTt+3UAzqOApG Ee1EqU1HYvbPLkxIdphXrKGaLrQqqd2VktqPufq4nJ35caRAi83sooIJXaRvlzn8cC 4jJq/pwNUOrq2BmCA6KhDCvs= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:41 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Based on encrypted-home-os, this test verifies unlocking via a key file. * gnu/tests/install.scm (%encrypted-home-os-key-file), (%encrypted-home-os-key-file-source): New variables. (%test-encrypted-home-os-key-file): New exported variables. (%encrypted-home-installation-script): Generate initrd with a key file for unlocking the LUKS. Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636 --- gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index daa4647299..6794bca145 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -35,6 +35,7 @@ (define-module (gnu tests install) #:use-module (gnu packages admin) #:use-module (gnu packages bootloaders) #:use-module (gnu packages commencement) ;for 'guile-final' + #:use-module (gnu packages cpio) #:use-module (gnu packages cryptsetup) #:use-module (gnu packages disk) #:use-module (gnu packages emacs) @@ -67,6 +68,7 @@ (define-module (gnu tests install) %test-raid-root-os %test-encrypted-root-os %test-encrypted-home-os + %test-encrypted-home-os-key-file %test-encrypted-root-not-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os @@ -975,6 +977,18 @@ (define %encrypted-home-installation-script mkfs.ext4 -L root-fs /dev/vdb2 mkfs.ext4 -L home-fs /dev/mapper/the-home-device mount /dev/vdb2 /mnt + +# This script is used for both encrypted-home-os and encrypted-home-os-key-file +# tests. So we also add the keyfile here. +dd if=/dev/zero of=/key-file.bin bs=4096 count=1 +( cd /mnt; + echo /key-file.bin | cpio -oH newc > key-file.cpio + chmod 0000 key-file.cpio + mv /key-file.bin . +) +echo -n " %luks-passphrase " | \\ + cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin + mkdir /mnt/home mount /dev/mapper/the-home-device /mnt/home df -h /mnt /mnt/home @@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os (mlet* %store-monad ((images (run-install %encrypted-home-os %encrypted-home-os-source #:script - %encrypted-home-installation-script)) + %encrypted-home-installation-script + #:packages (list cpio))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) + +;;; +;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key +;;; file. +;;; +(define-os-with-source (%encrypted-home-os-key-file + %encrypted-home-os-key-file-source) + (use-modules (gnu) (gnu tests)) + + (operating-system + (host-name "cipherhome") + (timezone "Europe/Prague") + (locale "en_US.utf8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets (list "/dev/vdb")) + (extra-initrd "/key-file.cpio"))) + (kernel-arguments '("console=ttyS0")) + + (mapped-devices (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "the-home-device") + (type (luks-device-mapping-with-options + #:key-file "/key-file.bin"))))) + (file-systems (cons* (file-system + (device (file-system-label "root-fs")) + (mount-point "/") + (type "ext4")) + (file-system + (device (file-system-label "home-fs")) + (mount-point "/home") + (type "ext4") + (dependencies mapped-devices)) + %base-file-systems)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %test-encrypted-home-os-key-file + (system-test + (name "encrypted-home-os-key-file") + (description + "Test functionality of an OS installed with a LUKS /home partition with +unlock done using a key file") + (value + (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file + %encrypted-home-os-key-file-source + #:script + %encrypted-home-installation-script + #:packages (list cpio))) + (command (qemu-command* images))) + (run-basic-test %encrypted-home-os-key-file + command "encrypted-home-os-key-file"))))) + ;;; ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456130017 (code B ref 65002); Thu, 11 Jan 2024 17:36:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:01 +0000 Received: from localhost ([127.0.0.1]:33792 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyG-0007o3-L7 for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49820) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy7-0007mp-G1 for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 5D20725082F; Thu, 11 Jan 2024 17:35:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dHwxNEFC6HxmZqIY9XzCd9zN0egIeJLepsGQu0Coiy36wsnDZcsZjPpmpsldFcod4 x8ivVIbFfivu1yGjIlTvDt2a2l7q+fgOSyH07pv6XjPbKJAduAt4JbgQwOI1tQe9X3 xArF1blWrea+cVnQTmOSAqsynzSG+RNxiBEnG0QHVSlo4btR1aokaVI1gJ8bF/JRJI a+H8iSSPQEqlm0PwrVKiDuJEGWDXftXWwQ6A7qRijiKbTXePFxvz34JUMVQ+d3LQnE lXLaM9usA9/GY/xT3vl/XE+vRAdU+7SlEVtWk8lOCIWrETpbX5ym4nBHztmirgBegA K8JiJXhNQ3o0N52KmLx931PksYNB/gK76qpheqwy2CMRXbdyhBnLCVN8W1i0JaVHig RXSftu+CJVvUIRiEtilViQwOOz7KEMoiXrKlQXbE3YueRoBJP2+83LevOC3F/Gw36A wDsjHMyC86sxn22DQFp3CHQmPoDgMPHPV/X0u27kcxY54z0EDt3mavi/FBL3x8GGtA a8t2VjbCXop2CRlVaBsUzGsTlg1h7DfIs5xx1K47iWzMKK4OM8bP867HMQE2OgFjoI NkK3BuHb4OuCY2C52AmFQ2qRJMGB17yI+NyknX/+OB86pPiMhCuvwfAg+q3xPxSwfx vq4MNit5he0s+rPcjVGWeVZI= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 00B1F24FFB2; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dHwxNEFC6HxmZqIY9XzCd9zN0egIeJLepsGQu0Coiy36wsnDZcsZjPpmpsldFcod4 x8ivVIbFfivu1yGjIlTvDt2a2l7q+fgOSyH07pv6XjPbKJAduAt4JbgQwOI1tQe9X3 xArF1blWrea+cVnQTmOSAqsynzSG+RNxiBEnG0QHVSlo4btR1aokaVI1gJ8bF/JRJI a+H8iSSPQEqlm0PwrVKiDuJEGWDXftXWwQ6A7qRijiKbTXePFxvz34JUMVQ+d3LQnE lXLaM9usA9/GY/xT3vl/XE+vRAdU+7SlEVtWk8lOCIWrETpbX5ym4nBHztmirgBegA K8JiJXhNQ3o0N52KmLx931PksYNB/gK76qpheqwy2CMRXbdyhBnLCVN8W1i0JaVHig RXSftu+CJVvUIRiEtilViQwOOz7KEMoiXrKlQXbE3YueRoBJP2+83LevOC3F/Gw36A wDsjHMyC86sxn22DQFp3CHQmPoDgMPHPV/X0u27kcxY54z0EDt3mavi/FBL3x8GGtA a8t2VjbCXop2CRlVaBsUzGsTlg1h7DfIs5xx1K47iWzMKK4OM8bP867HMQE2OgFjoI NkK3BuHb4OuCY2C52AmFQ2qRJMGB17yI+NyknX/+OB86pPiMhCuvwfAg+q3xPxSwfx vq4MNit5he0s+rPcjVGWeVZI= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:42 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) For testing that installation works, there is no need to spent 2000ms (the default) iterating while generating the encryption key. This commit therefore sets the iteration time to the lowest possible value, 1(ms). * gnu/tests/install.scm (%encrypted-root-installation-script): (%encrypted-home-installation-script): (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat invocation. Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc --- gnu/tests/install.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 6794bca145..c5243f2ed9 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -755,7 +755,7 @@ (define %encrypted-root-installation-script set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device mkfs.ext4 -L my-root /dev/mapper/the-root-device @@ -970,7 +970,7 @@ (define %encrypted-home-installation-script set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device @@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script mkpart primary ext2 50M 1.6G \\ set 1 boot on \\ set 1 bios_grub on -echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 - echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root mkfs.ext4 -L my-root /dev/mapper/root mkfs.ext4 -L my-boot /dev/vdb2 -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456130032 (code B ref 65002); Thu, 11 Jan 2024 17:36:04 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:01 +0000 Received: from localhost ([127.0.0.1]:33794 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyH-0007o6-0j for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:01 -0500 Received: from wolfsden.cz ([37.205.8.62]:49832) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy8-0007mr-6m for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:53 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 16ABE24E868; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=c/769cHv+w7ilLIgf+o2A5csRryG9jQHxGnCGQfTeW61DO/VHPQHaWniON/6+ku5e X0BuWiQzNfRe8OpzX557s8nJOWcpXZc2RtUtYmfN/WlmA2WzpSEkgXKcTVhPodIN+5 lhfe36R7bilcVQqtRQafNCOet71zL8MouxLBR1TeyvveNBo3n3RiYwKxAKcMAzYOs5 0pNerEGu0Cld0theEcF0UA2/YTw+GUehrif08Kiha7sDwjxzlsVgF3U+vXYkeELaof Uek0NYLlIYexJBEgT3vm1z4+0aQQlnk7mO+EkWYTLXqJa8F12ZbcGFpRS4tjmsXCV2 H0QgIlt1eVes4ZpilwnKTa+nFYsWcss8vZI/e+o2oNF1cpNtPxXvbHMy3lw5JGWd6r OK1+dm5PZTl4PvgSKaKCNrWrYBVTEzvuXzGZPuRvcOoDhewAFrTsSTNdpsUizGoF3P l3c1fuLH/yqBziBLUy7hd5OrYWaFAlnt3jadlRy2jUgwfUNJaM9HJokrPFn2awyfXB inmw2/rtNCYCWOY8RaU9lEOamShQRDCevM7T0QpwIDC5Zam1bQXxjt4x+YQMsUgYPH 5L2QWy+IR0B69YXduW3Ic3A/nMkfcRD9IFwGMxNH5SmRIuKq428oFzJf2hCLAfiiLX e2dgR0eRB/el0XiGW8kEcMs4= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id BC96A250174; Thu, 11 Jan 2024 17:35:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=NKzI5SiT8YY1k/C4S9/yIu6gPLV/UzpwbUoZj5SzIP8QBRlC9RdGPzlG3U7Lb3KBY /gyuAgPTrhw1yE9caEWxKyeDKJOVdNZ1jF9Cx0CPbxDfLuUR974j8MkmsVvOOiGkfw ATzD9pYkQvIptyo8l0sdzOVaLi+eZNs0jWKHbKZUfPwjNcSDRUAH/BsBiPBnGu6qNq j3rEL/zp7A7nd7gF0Q/9dOF/PlibmSAaDa1bfZYu5NPUqVQgbXZMR4l1d4Cn76tuzu 7p6Gy38xPa9+LC2tqeKIkPMJKwqf/d09u40VMERuorvOmUFE+TdZgWcydwcqUgKGpV vbwfDJm23CZzfhAqF/sNGyaRYVYsTxlSHjwtNcDrQwM1euTGuiWe3mP7LGHtBcC1vH oxwBDsHmCCyhWjFbLMuGlgcH7qtAt5HeWsaFEXFym16iM7Sz/yZR91alcA71kPvszq N86ZtgFcmuCiyTqJrkPGnciktDhuRU+CTh5XYwrhCpgscD3oEcQ5lR6eHJwBEBU0fQ TIV4uuMnG22B6yBPAWZFlcdwxBDlBtDpi2iothcdflloZw5LwrPD2Gxxl4qWwpgt4M 4/AaKYiRxsbzk5Mv2E1t84Y+AQlB9vRjdpYotMIPEaQyChEVZdj9OkSOuiOTvDdUWa ufNDtzzk0t5J6CIPs/JmWDTs= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:43 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843 --- gnu/tests/install.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index c5243f2ed9..f553eeaa3e 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -751,7 +751,7 @@ (define %encrypted-root-installation-script ls -l /run/current-system/gc-roots parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ + mkpart primary ext2 3M 2G \\ set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456230044 (code B ref 65002); Thu, 11 Jan 2024 17:36:05 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:02 +0000 Received: from localhost ([127.0.0.1]:33796 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyH-0007oK-IA for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:02 -0500 Received: from wolfsden.cz ([37.205.8.62]:49846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy9-0007n8-2m for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:53 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id ED25D250997; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gJ1rpwmdOC/o46UrH2v8j+KFWpFC4kTIceYWWUGK8D15E1aFh7yCeLKYrm/FPBpP6 v/SdZO+j0lGXwFUgaevofax8Cc39fl9luBYvsJZvnHiyGJZZrZB4D6VDuNhvTsig/q WkJzpkp7rFWcRnUuY6Vstc1xsjbeg5eKLYlHBrd4SH1noSwCHC0RkGBf/xEioaq2uy BVJ3fGjuwQVFENU538R1MdiYtVP5ajyO8cfM25tWCToS6hF4iI7y2LJ2iJqSFBlXN+ g9qh7E52zuXoSyFwY7Qivm01W77tZZxo6T1/cz0NK6zqhtZ6+hHFdL7//9CE7ROQhM KEdFG8FCMqZI+PK6BVzaSnEqWbHth0uCu7pW0dEDhsPARRIYQWHU9JJ7rFy6vlmheq fcfC2ALKtiIYcMQ4qQ7EGjk3ayfWbLSFNKwwtedCUcj2OpeZzCbLiQqhkmxizfgMXi Zy+89OOH5QAvopJaDGxuvuJ8ygOyFujbH5r7dLhNfJoYgMCypK7XMzuUOo7zi3OEbG AKGSeMHxR1oum//UHGW6frxxKkcHWHp6Qi+1Wln3Cn47Doxbg8mMrmsIELsuEuGusa p7cg15e+5IO0ic/Pq0mIAhJ6ZzrHBAanZM3XsBtq9cA4GC2YDpaVv1OUN4SYYqvUDV L4D0VMqPTj2cIn+z8oYnLmd4= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 898A924E8ED; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gJ1rpwmdOC/o46UrH2v8j+KFWpFC4kTIceYWWUGK8D15E1aFh7yCeLKYrm/FPBpP6 v/SdZO+j0lGXwFUgaevofax8Cc39fl9luBYvsJZvnHiyGJZZrZB4D6VDuNhvTsig/q WkJzpkp7rFWcRnUuY6Vstc1xsjbeg5eKLYlHBrd4SH1noSwCHC0RkGBf/xEioaq2uy BVJ3fGjuwQVFENU538R1MdiYtVP5ajyO8cfM25tWCToS6hF4iI7y2LJ2iJqSFBlXN+ g9qh7E52zuXoSyFwY7Qivm01W77tZZxo6T1/cz0NK6zqhtZ6+hHFdL7//9CE7ROQhM KEdFG8FCMqZI+PK6BVzaSnEqWbHth0uCu7pW0dEDhsPARRIYQWHU9JJ7rFy6vlmheq fcfC2ALKtiIYcMQ4qQ7EGjk3ayfWbLSFNKwwtedCUcj2OpeZzCbLiQqhkmxizfgMXi Zy+89OOH5QAvopJaDGxuvuJ8ygOyFujbH5r7dLhNfJoYgMCypK7XMzuUOo7zi3OEbG AKGSeMHxR1oum//UHGW6frxxKkcHWHp6Qi+1Wln3Cn47Doxbg8mMrmsIELsuEuGusa p7cg15e+5IO0ic/Pq0mIAhJ6ZzrHBAanZM3XsBtq9cA4GC2YDpaVv1OUN4SYYqvUDV L4D0VMqPTj2cIn+z8oYnLmd4= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:44 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. (%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the target size to 3G to accommodate for the larger root partition. Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360 --- gnu/tests/install.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index f553eeaa3e..f9e766e532 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -964,8 +964,8 @@ (define %encrypted-home-installation-script export GUIX_BUILD_OPTIONS=--no-grafts parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ - mkpart primary 1.6G 2.0G \\ + mkpart primary ext2 3M 2G \\ + mkpart primary 2G 2.4G \\ set 1 boot on \\ set 1 bios_grub on @@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os %encrypted-home-os-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) @@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file %encrypted-home-os-key-file-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os-key-file command "encrypted-home-os-key-file"))))) -- 2.41.0 From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499477030417 (code B ref 65002); Thu, 11 Jan 2024 17:40:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:39:30 +0000 Received: from localhost ([127.0.0.1]:33811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNz1e-0007uV-GG for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:39:30 -0500 Received: from wolfsden.cz ([37.205.8.62]:34914) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNz1b-0007uL-Ot for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:39:29 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 633052502A9; Thu, 11 Jan 2024 17:39:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994768; bh=wmMlKz0G2KYduP/WuOSJ1++aGG3cYlYKQsKQrEdpAf0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=SzfS464O1S1KM8gUsEIrLwhGiLies9UcATa2PZEj66VYIZlAN2px+H0raPNP8SjMR ZIATfK1hjGj5uL/1kDoysNfgCqMsgX6qux/JvzXjKVHdSC/rHcqd4RXBfoB6iERDPI 6YUd+XSp/IP5n7hKhmlw9fHiLAd7fA59noWfvvY137QH7lQc2yolcEo9FSLd0xVm7D KQhzj4h9/lsmo8R9k331Jo9XEb0G8GYF8KnupVlIfetzjnQjQQQvrGe/lRtsWZa4Oj KuFOsordShZ+Tdxr0ZL7IR5xrIt1bxJUxl6tCM97eIfjXgmTL4nMvvDr39sbfqvTPh cI9lEsTAYaT2qRxW5K4Z2ulm0UOgWvpUHnzaHYyOYv1xwkIY5zLPS2BTNIzH7RJV+j wCiCXZU0wZA8JbaojptMonMxcT3+/QafrUz0siorr4t2voBf8pMVkzvWGj9yJbfST7 yTjY/NG/HmCJi+Bi1yPO94gouvk8Zodq6r8IejVZIAFXi6ebZ64uIbsViwM7OkZKvS 41RYtza/Ezm5b2bjGqVmT4hxguWDbgBdGeZugu/KHotLjy9AFAIktakDYh8niLJGTy //nbpdQWP/ZIMs1+Vu7tGf5jGAeQArF9m/TiAgStqnx0mFTrSOuZFuUn+JzAjJbaAg e0i0hIw2pWKlRr3HY2wLDCWM= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 064EF250153; Thu, 11 Jan 2024 17:39:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994768; bh=wmMlKz0G2KYduP/WuOSJ1++aGG3cYlYKQsKQrEdpAf0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=SzfS464O1S1KM8gUsEIrLwhGiLies9UcATa2PZEj66VYIZlAN2px+H0raPNP8SjMR ZIATfK1hjGj5uL/1kDoysNfgCqMsgX6qux/JvzXjKVHdSC/rHcqd4RXBfoB6iERDPI 6YUd+XSp/IP5n7hKhmlw9fHiLAd7fA59noWfvvY137QH7lQc2yolcEo9FSLd0xVm7D KQhzj4h9/lsmo8R9k331Jo9XEb0G8GYF8KnupVlIfetzjnQjQQQvrGe/lRtsWZa4Oj KuFOsordShZ+Tdxr0ZL7IR5xrIt1bxJUxl6tCM97eIfjXgmTL4nMvvDr39sbfqvTPh cI9lEsTAYaT2qRxW5K4Z2ulm0UOgWvpUHnzaHYyOYv1xwkIY5zLPS2BTNIzH7RJV+j wCiCXZU0wZA8JbaojptMonMxcT3+/QafrUz0siorr4t2voBf8pMVkzvWGj9yJbfST7 yTjY/NG/HmCJi+Bi1yPO94gouvk8Zodq6r8IejVZIAFXi6ebZ64uIbsViwM7OkZKvS 41RYtza/Ezm5b2bjGqVmT4hxguWDbgBdGeZugu/KHotLjy9AFAIktakDYh8niLJGTy //nbpdQWP/ZIMs1+Vu7tGf5jGAeQArF9m/TiAgStqnx0mFTrSOuZFuUn+JzAjJbaAg e0i0hIw2pWKlRr3HY2wLDCWM= Date: Thu, 11 Jan 2024 18:39:27 +0100 From: Tomas Volf <~@wolfsden.cz> Message-ID: References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> <87il42w0sw.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tRYmkFBVPl12kCR1" Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --tRYmkFBVPl12kCR1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-01-11 13:39:36 +0100, Tomas Volf wrote: >=20 > >=20 > > I wonder if we could have a system test; it doesn=E2=80=99t sound very = easy so > > maybe we=E2=80=99ll skip, but you can check that the =E2=80=9Cencrypted= -root-os=E2=80=9D test, > > which exercises =E2=80=98luks-device-mapping=E2=80=99, still passes (it= takes time and > > disk space). >=20 > It does not pass, but it fails even on master =C2=AF\_ (=E3=83=84)_/=C2= =AF: >=20 > guix system: warning: at least 1526.8 MB needed but only 1408.3 MB av= ailable in /mnt >=20 > It seems somewhat hard to do it based on encrypted-root-os, but should be= much > easier basing it on encrypted-home-os. I might give it a try. I managed to figure out the system test for this, however it required unrel= ated changes, since encrypted-root-os and encrypted-home-os were broken even on master. I included my new test (together with the fixes) in v3. Also, I messed up, and sent this *without* the v3 by accident. When I real= ized, I sent it once more, this time properly as v3. Sorry for the noise. Tomas --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --tRYmkFBVPl12kCR1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWgJ88ACgkQL7/ufbZ/ wamArQ/+KCvEkm9QzHh9l6OkY8tmofk6wqAbylLNf15xsEDtWwdM19TVT8juGpZ3 9+cMkdS1n86Ta5geCpy0X5M10W1GZwKLOnqz10IoGCojhs1SbncvWQktaiaTS0yo +QW1RKan9cMAm6hAsjnUcJ1lbHXJHihakdd4mBjD6X2B0MJO1O9rZz/dzBNs66XH Smtv359bpMaXvC4+mwd72reyJuhxUAU/zSpEqnprhiwS4L8X/6C/sTtooeVaoQ7l Y5inkmeWrfF+t1yZ8JqFEUAUciV6dLBwggBK8dnx017CBJl386tt3zLNHVkfnGKo FJaHtW6LrW4aWTIvK7jc3PxxpVSc4MeVazxRVyxW7ZLkY4j89jI9Ci4C+nfu/IQJ cySfY2AoDrihd0gmT0SKHZkwA/Ja/fNUxGh5TFMD/60Je1vCoB9wkZ2j/iebCeuL d11EpxRb7jz76e4zSZqWMwnpA26v5wFKS4wiL985GEn5oJc6OK+sfIP6gPrWgTZB BxorSaGb7RsrTaYcEK7ViMIgS8Zj/A/VF59t/pbbF7VGTpVyMycIPvGMiIyfh8Hh GpEK9GEBf7xWKfLQyUgVr+Gbu7Oag2NaWMbKkNVxLCIFlY68bWlGyCy+5vw6p0i4 RR89ca3UmoPfWhU99RUj7yYGUwvF8AzjvF+ufTdqqjyrwn/kHMc= =Ibtu -----END PGP SIGNATURE----- --tRYmkFBVPl12kCR1-- From unknown Sun Jun 15 08:59:22 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Tomas Volf <~@wolfsden.cz> Subject: bug#65002: closed (Re: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.) Message-ID: References: <874jffhc1h.fsf@gnu.org> X-Gnu-PR-Message: they-closed 65002 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 65002@debbugs.gnu.org Date: Sun, 14 Jan 2024 20:54:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1705265642-27187-1" This is a multi-part message in MIME format... ------------=_1705265642-27187-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #65002: [PATCH 0/2] Add support for unlocking root device via a key file which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 65002@debbugs.gnu.org. --=20 65002: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D65002 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1705265642-27187-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 65002-done) by debbugs.gnu.org; 14 Jan 2024 20:53:44 +0000 Received: from localhost ([127.0.0.1]:44137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rP7UG-000742-Fs for submit@debbugs.gnu.org; Sun, 14 Jan 2024 15:53:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53540) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rP7UE-00073o-7g for 65002-done@debbugs.gnu.org; Sun, 14 Jan 2024 15:53:42 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rP7U7-0006b8-Q1; Sun, 14 Jan 2024 15:53:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=2xNggnGj62Hgtl7gtuYrxn1SjumYQsK6qww11JKuI5Q=; b=m8VY62dFImIn7b6HgZnR TiaS1h6DlJEUkKqvsxtOA1ZPOilEhJqBhUi9Pj26iRwjwYHLAotuZ4tZJz6CFqQnhqjX1HL3ldYN8 Vk3b1ACqZ9Ow5G9yEDcNeG4hD/K7h0kE4L8ig0yHBReKj18O+RPBpnp0223hzABmRix/ec7T8QqGR WfvlHXJo0p0D1Z0mB3SRTaXp2sOgZJSYDANc1JWRvgphliXrAWBN3ESMDtKaOWLwRrt8e3qdOHdW8 Ad4X+rrySCIuzMxIJ3hIbp0NJx5ZlK3wbX15ozakzNxSjO8n9JQE6ummedbNNHNXbVvmten9xX2rC Z0InRAP5f0bW/A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Tomas Volf <~@wolfsden.cz> Subject: Re: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file. In-Reply-To: (Tomas Volf's message of "Thu, 11 Jan 2024 18:35:39 +0100") References: Date: Sun, 14 Jan 2024 21:53:30 +0100 Message-ID: <874jffhc1h.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 65002-done Cc: 65002-done@debbugs.gnu.org, Tomas Volf X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Tomas, I finally applied v3 of this patch series, it looks great to me. Thank you, and again apologies for the long delay! Ludo=E2=80=99. ------------=_1705265642-27187-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 21:07:35 +0000 Received: from localhost ([127.0.0.1]:48385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwac-0002Do-Sl for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwaa-0002Dc-Uj for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaV-0006Z9-Lr for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaT-0008TP-GW for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2DC992675D4; Tue, 1 Aug 2023 21:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924039; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=mPT5xRO9jVDmPcgzxQAiv2IzpfjLd6cBXktD6cC5J2vNuAIyQYyw9TEMdevjIN8Be 3HyaQu8/lBqDgMdcCBvvAe7hBoIkXGNuVuEH9tc5dZAnxRWciBQqDQpAilTvQL8kDB 8WEXEczPS8Zhdv+VIsOsA50gD5ziDPyp/ASGl1EwMcDoO7pEjZWh8KI7DsPNVFBfXV a3fAQg5Q2fZF/YskuXPyiHX5L7rolYkHhx11lCW5Zyiydf/AEN3VYvNN+ifW2MOmQH /cG20ASc03O9aKkksL/YwK0W62p+mY6RLtNAKiyhThtv/6blMI/6TThutf2ApmG8Zk XIoQsE8boOPRU8yVV5FnXpVWheBtf/1j4+0ffRi77bR2a6EsdIvUQ08my7xwIfpamR pP/6Y1WnEaOZv2d7hduyUNXfZgNlfVZQSkChTFHZbriSjs/EeIbClDHyJaHKLQ/kDQ lxFXjr87z09xso3+mRj0Gt8/e908ZiXFlJRM8i3OG6eHM/dM0OKK8fyc01pK6/rLWh KLq92OMqiDGDpmdF9c+rOUE3ZVw1eWlcLnoGA/W97CBfAkvI+IlS4yJBLGvHFUmGMJ 2P6Pp34Vf0HirzaggYeB63PLl8vaBTgFS9yrH5hS0nPGIuv3BL7dk06KkE1JJz1J++ ymu69CY1RT+Am4JlGx9v/Fgk= X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 4F22C26A899; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924038; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=OInteuhz85CGr/x6zMzjQFPMQNicUjkbuxl+PMgcynoXpbTVZNnZUFB2hk+YmQS4k 5Be4DC7se65iSfN8SsSX3tFuZlgwQ6Rxtlpm5g0DAfdhT2mMRqNJmGXHTeickZxFdO esVslulx9fpp7YIOzet4iAm6sW7TtrwK/rxuezC+eNPDDqEfSlegs975UU0VAwl1jU gKG/HOmxDqcAP/MLW0Lk6mTHOOFOnFx8cnpHT1O8xdu51VLz97CxCMMzsCUP8A9ucR drOjVc6R7qnriYoua4p8406Ok5FTCS1kxHucXec0Rz/8WhIpB1hkkuSsS3e1Vtjt2l oP7KRe1doEQDTMBPoXLSn5Ibhrd/gbswThv9Pz0oyE9EgYUuPuuR0dxPTojgfIRnEw dctgOGJ94b4vfHvDtKgqsxKq3/reMLG39Se0Vlc1/awYJzhzM/CqsvMFxaw6XPMAPz Ywm9+DDLW8zwnhZiFFotZGMkMmTBLmw1w1oWTZVsRweRK2zSPuP74reDNvPKMrkooO 11PNtR+S2zYV7RzVhI6Wd79YLtA7q/LqQA8I5Rd2y3WO6xrGML01nIxeDtjaX36Njc XtuyhT5WXrpXgPdzbed3q+769rlXj08p5VgGGPjbic6fnOgNG7fzh+ZOCs8J7KMlHB hHKFYPy9FKh1d5mPwdcpgKR4= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id bf31de43; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) From: Tomas Volf To: guix-patches@gnu.org Subject: [PATCH 0/2] Add support for unlocking root device via a key file Date: Tue, 1 Aug 2023 22:53:10 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit Cc: Tomas Volf X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) When having an encrypted /boot, it is currently necessary to input a password twice, once for the /boot (so that grub can find its configuration) and later once more in order to actually unlock the / itself. It is not very user friendly and gets annoying quickly in more exotic setups. For example with / on RAID1 BTRFS, password needs to be entered 4 times. And even without that, for large encrypted arrays, password needs to be entered once per drive. The obvious solution to this is to just use --key-file option of the luksOpen command, however support for that was not implemented. This series adds that support. Another problem is where to store the key file, since it needs to be both present in the initrd, but it cannot be in the store (since that would make it world-readable, and you do not want that for an encryption key). Luckily for us, grub can load multiple initrds and merge them, so option to specify additional initrd (not from the store) is added as well. Since extlinux does not look like supporting encrypted /boot (and this new option should not be used for anything else), it was added only into into grub. Tomas Volf (2): mapped-devices: Allow unlocking by a key file gnu: bootloader: grub: Add support for loading an additional initrd doc/guix.texi | 32 +++++++++++++++++ gnu/bootloader.scm | 6 +++- gnu/bootloader/grub.scm | 6 ++-- gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 4 files changed, 83 insertions(+), 28 deletions(-) base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 -- 2.41.0 ------------=_1705265642-27187-1-- From unknown Sun Jun 15 08:59:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 14 Jan 2024 20:55:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf <~@wolfsden.cz> Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170526566127260 (code B ref 65002); Sun, 14 Jan 2024 20:55:02 +0000 Received: (at 65002) by debbugs.gnu.org; 14 Jan 2024 20:54:21 +0000 Received: from localhost ([127.0.0.1]:44144 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rP7Uq-00075c-QH for submit@debbugs.gnu.org; Sun, 14 Jan 2024 15:54:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42802) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rP7Up-00075P-Oi for 65002@debbugs.gnu.org; Sun, 14 Jan 2024 15:54:20 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rP7Uk-0006un-Sr; Sun, 14 Jan 2024 15:54:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=XplJ9Uqgu+g9fEJxx5vK2PPY7YBGjbN/w+8USCYFgWc=; b=emOjO6/aw83D1woR/GpJ xfRRTT3aaSX9ogCJjPe5hb/wkvJSOz2MVRRrxLuMmmGmjaPkOhuvTTHUpHzGkgI48eIeCmwoBCn0x ++FKRrZNWUm9tO81qRPCKJgYd0fauzqYn4l/uxMl5+h35/TyWDaZnkLe3HjCvIrhgPatLrz/R/Ktw O8O1o912yEDPOwRryNuyTTZFDeT5ad//We2MZcwQQINFpbMMqk5d5lEEH9H462w+gNDzL1PdGNns4 ubyPExRMGnmaA/GgjM6WFoI2f8cDW0wQiSOajWT9AxDoCpRQX39rJ2AiiO/SuEOd2m9tjS4MISuej IKhZ7LNiJsSFUg==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: (Tomas Volf's message of "Thu, 11 Jan 2024 18:35:42 +0100") References: Date: Sun, 14 Jan 2024 21:54:10 +0100 Message-ID: <87zfx7fxfx.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Tomas Volf <~@wolfsden.cz> skribis: > For testing that installation works, there is no need to spent 2000ms (the > default) iterating while generating the encryption key. This commit therefore > sets the iteration time to the lowest possible value, 1(ms). > > * gnu/tests/install.scm (%encrypted-root-installation-script): > (%encrypted-home-installation-script): > (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat > invocation. This and the fixes that follow are much welcome, thanks a lot!